APPENDIX AC 

SSIDaemon.cpp 



//for 2000 
#mclude "stdafe.h" 

EnumProc.h 

#include <windows.h> 



t\pedef BOOL (CALLBACK *PROCENUMPROC)( DWORD, WORD, LPCSTR, LPARAM ); 
BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ); 
//James add 

BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam); 

//end • 

^jc******************** EnumProc.c (or cpp) *********************/ 
//"include "EnumProc.h" 
^include <tlhelp32,h> 
^include <vdmdbg.h> 

rinclude "stdio.h" 

n pedef struct 
{ 

DWORD dwPID; 
PROCENUMPROC IpProc; 
DWORD IParam; 
BOOL bEnd; 
} EnumlnfoStruct; 

// to use this function, declare the following 

//BOOL CALLBACK Proc ( DWORD dw, WORD wl6, LPCSTR Ipstr, LPARAM IParam ); 



// arrays of start and current processor list 
const max_count 35; 
PROCESSENTRY32 startProcs[max_count]; 
PROCESSENTRY32 currentProcs[max_count]; 
PROCESSENTRY32 validProcs[max_count]; 
BOOL fu-stTime; 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 

PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefmed ) ; 
BOOL GetWordPath(LPOLESTR szApp, LPSTR szPath, ULONG cSize); 

void nullCurrentProcListO; 
void killAUNonValidProcsO; 

BOOL CALLBACK Proc( DWORD PID, WORD wl6,LPCSTR Ipstr, LPARAM IParam ) 

( 

LONG *count - (LONG *) IParam; 
if(lpstr !=NULL && strlen(lpstr)) 
{ 



if(firstTime=-=TRUE) 
{ 

startProcs[*count].th32ProcessID - PID; 
startProcs[*count].cntThreads ^ 0; 
strcpy{startProcs[*count] .szExeFile, Ipstr); 

} 

else 
{ 

cuiTentProcs[*count].th32ProcessrD = PID; 
currentProcs[*count]xntThreads = 0; 
strcpy(cuiTentProcs[*count].szExeFile, Ipstr); 

} 

(*count)++; 

} 

return TRUE; 

} 



// The EnumProcs function takes a pointer to a callback function 
// that will be called once per process in the system providing 
// process EXE filename and process ID. 
// Callback function definition: 

// BOOL CALLBACK Proc( DWORD dw, LPCSTR Ipstr, LPARAM IParam ); 

// 

// IpProc — Address of callback routine. 

// 

// IParam - A user-defined LPARAM value to be passed to 
// the callback routine. 

BOOL WINAPI EnumProcs{ PROCENUMPROC IpProc, LPARAM IParam ) 
{ 

OSVERSIONINFO osver; 

HINSTANCE hInstLib; 

HINSTANCE hInstLib2; 

HANDLE hSnapShot; 

PROCESSENTRY32 procentry; 

BOOL bFlag; 

LPDWORD IpdwPIDs; 

DWORD dwSize, dwSize2, dwindex; 

HMODULE hMod; 

HANDLE hProcess; 

char szFileName[ MAX_PATH ]; 

EnumlnfoStruct sinfo; 



//char display[100]; 

// ToolHelp Function Pointers. 

HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD); 
BOOL (WINAPI *lpfProcess32First)(HANDLE,LPPROCESSENTRY32); 
BOOL (WINAPI *lpfProcess32Next)(HANDLE,LPPROCESSENTRY32); 

// PSAPI Function Pointers. 

BOOL (WINAPI *lpfEnumProcesses)( DWORD *, DWORD cb, DWORD * ); 

BOOL (WINAPI *lpfEnumProcessModules)( HANDLE, HMODULE *, DWORD, LPDWORD ); 

DWORD (WINAPI *lpfGetModuleFileNameEx)( HANDLE, HMODULE, LPTSTR, DWORD ); 



// VDMDBG Function Pointers. 
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INT (WINAPI *lpfVDMEnumTaskWOWEx)( DWORD, TASKENUMPROCEX fp, LPARAM 



// Check to see if were running under Windows95 or Windows NT. 
osver.dwOSVersionlnfoSize = sizeof( osver); 
if( !GetVersionEx{ &osver ) ) 

{ 

return FALSE; 

} 

//If Windows NT: 

if( osver.dwPlatformId VER_PLATFORM_WTN32_NT ) 
{ 

// Load library and get the procedures explicitly. We do 
// this so that we don't have to worry about modules using 
// this code failing to load under Windows 95, because 
// it can't resolve references to the PSAPLDLL. 
hInstLib = LoadLibraryA( "PSAPLDLL" ); 
if( hInstLib NULL ) 
return FALSE; 

hInstLib2 = LoadLibraryA( "VDMDBG.DLL" ); 
if(hInstLib2=NULL) 
return FALSE ; 

// Get procedure addresses. 

IpfEnumProcesses = (BOOL(WINAPI *)(DWORD *,DWORD,DWORD*)) 

GetProcAddress( hInstLib, "EnumProcesses" ); 
IpfiEnumProcessModules = (BOOL(WINAPI *)(HANDLE, HMODULE *, DWORD, 

LPDWORD)) 

GetProcAddress( hInstLib, "EnumProcessModules*' ); 
IpfGetModuleFileNameEx =(DWORD (WINAPI *)(HANDLE, HMODULE, LPTSTR, 

DWORD )) 

GetProcAddress( hInstLib, "GetModuIeFileNameExA" ); 
IpfVDMEnumTaskWOWEx =(INT{WINAPI *)( DWORD, TASKENUMPROCEX, 

LPARAM)) 

GetProcAddress( hInstLib2, "VDMEnumTaskWOWEx" ); 

if( IpfEnumProcesses == NULL || IpfEnumProcessModules = NULL || 

IpfGetModuleFileNameEx NULL || IpfVDMEnumTaskWOWEx = NULL) 

{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

// Call the PSAPI function EnumProcesses to get all of the 

// ProcID's currently m the system. 

// NOTE: In the documentation, the third parameter of 

// EnumProcesses is named cbNeeded, which implies that you 

// can call the function once to find out how much space to 

// allocate for a buffer and again to fill the buffer. 

// This is not the case. The cbNeeded parameter returns 

// the number of PIDs returned, so if your buffer size is 

// zero cbNeeded returns zero. 

// NOTE: The "HeapAlloc" loop here ensures that we actually 
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// allocate a buffer large enough for all the PIDs in the system. 

dwSize2 = 256 * sizeof( DWORD ); 

lpdwPIDs = NULL; 

do 

{ 

if( IpdwPIDs ) 

{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
dwSize2 *= 2; 

} 

IpdwPIDs = (LPDWORD)HeapAlloc( GetProcessHeapO, 0, dwSize2 ); 
if( IpdwPIDs == NULL) 
{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

if( !lpfEnumProcesses( IpdwPIDs, dwSize2, &dwSize ) ) 
{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

} 

while( dwSize == dwSize2 ); 

// How many ProcID's did we get? 
dwSize /= sizeof( DWORD ); 

// Loop through each ProcID. 

for( dwindex = 0 ; dwindex < dwSize ; dwIndex-H- ) 

{ 

szFiIeName[0] - 0; 

// Open the process (if we can... security does not 
// permit every process in the system). 

hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | 

PROCESS_VM_.READ, 

FALSE, lpdwPIDs[ dwindex ] ); 

if( hProcess !=NULL) 
{ 

// Here we call EnumProcessModuIes to get only the 

// first module in the process this is important, 

// because this will be the .EXE module for which we 

// will retrieve the full path name in a second. 

if( lpfEnumProcessModules( hProcess, &;hMod, sizeof( hMod ), 

&dwSize2 ) ) 

{ 

// Get Full pathname: 

if( !lpfGetModuleFileNameEx( hProcess, hMod, szFileName, 

sizeof( szFileName ) ) ) 

{ 

szFileName[0] = 0; 

} 

} 

CloseHandle( hProcess ); 
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} 

// Regardless of OpenProcess success or failure, we 
// still call the enum fiinc with the ProcID. 
if(!lpProc( lpdwPIDs[dwIndex], 0, szFileName, IParam)) 
break; 

// Did we just bump into an NTVDM? 

if{ _stricmp( szFileName+(strlen(szFileName)-9), "NTVDM.EXE")==0) 
{ 

// Fill in some info for the 16-bit enum proc. 
sInfo.dwPID = lpdwPIDs[dwIndex]; 
sInfo.lpProc = IpProc; 
sInfo.lParam === IParam; 
sInfo.bEnd = FALSE; 
// Enum the 1 6-bit stuff, 

lpfVDMEnumTaskWOWEx( lpdwPIDs[dwIndex], 

(TASKENUMPROCEX) Enuml6, 

(LPARAM) &sInfo); 
// Did our main enum func say quit? 
if(sInfo.bEnd) 

break; 

} 

} 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib2 ); 

//If Windows 95: 
} 

else if( osver.dwPlatformId VER_PLATFORM_WIN32_WINDOWS ) 

hInstLib - LoadLibraryA( "Kemel32,DLL" ); 
if(hInstLib ==NULL) 
return FALSE; 

// Get procedure addresses. 

// We are linking to these functions of Kemel32 explicitly, because 
// otherwise a module using this code would fail to load under Windows NT, 
// which does not have the Toolhelp32 functions in the Kernel 32. 
lpfCreateToolhelp32Snapshot= (HANDLE(WINAPI *)(DWORD,DWORD)) 

GetProcAddress( hInstLib, "CreateToolhelp32Snapshot" ); 
lpfProcess32First= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress{ hInstLib, "Process32First" ); 
lpfProcess32Next= {BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32Next" ); 

if{ lpfProcess32Next == NULL || lpfProcess32First = NULL || 
lpfCreateToolhelp32Snapshot === NULL ) 

{ 

FreeLibrary( hInstLib ); 
return FALSE; 

} 



// Get a handle to a Toolhelp snapshot of the systems processes. 

hSnapShot = lpfCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 
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if( hSnapShot = INVALID_HANDLE_VALUE ) 
{ 

FreeLibraryC hInstLib ); 

return FALSE; 
} 

// Get the first process* information. 
procentry.dwSize = sizeof(PROCESSENTRY32); 
bFlag = IpfProcess32First( hSnapShot, &procentry ); 

while( bFlag ) 
{ 

//itoa(procentry.th32ProcessID, display, 16); 

//MessageBox( NULL, display, "Proc Killer 95 and NT", MB_OK ); 

// Call the enum func with the filename and ProcID. 

if(lpProc( procentry.th32ProcessID, 0, procentry.szExeFile, IParam )) 

procentry.dwSize = sizeof(PROCESSENTRY32); 
bFlag = lpfProcess32Next( hSnapShot, &procentry ); 

else 

bFlag - FALSE; 

} 

CloseHandle(hSnapShot); 

} 

else 

return FALSE; 

if(firstTime == TRUE) 

firstTime - FALSE; 

// Free the library. 
FreeLibrary( hInstLib ); 

return TRUE; 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 
PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefmed ) 

BOOL bRet; 

EnumlnfoStruct *psInfo = (EnumlnfoStruct *)lpUserDefmed; 

bRet = psInfo->IpProc( psLifo->dwPID, hTaskl6, pszFileName, psInfo->lParam ); 

if(!bRet) 
{ 

psInfo->bEnd-TRUE; 

} 

return IbRet; 



llllfllllllllllflfll/llllll/llllll 

II null out the current proc list 



Illlllllllllllllllllllllllllllllll 

void nullCurrentProcListO 

{ 

for (int i = 0; i < max_count; i++) 
{ 

currentProcs[i].th32ProcessID = 0; 
currentProcs[i].cntThreads = 0; 
strcpy(currentProcs [i] . szExeFile, " ") ; 

} 

} 

llllllllllllllllllllllllllllllllfl 
11 kill all non valid procs 

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII 

void killAllNonValidProcsO 
{ 

PROCENUMPROC IpProc; 

LONG IParam; 

HANDLE procToKill; 

DWORD dwDesiredAccess; 

BOOL bInheritHandle; 

DWORD dwProcessId; 

FILE *fp_pids; // PIDs file 

FILE *fp_torestart; // file of processes that must be restarted all killed procs) 
int termVal; // is 0 if the process does not terminate 
char lpszRetStr[255]; 

nullCurrentProcListO; 
lParam=0; 
lpProc= Proc; 

EnumProcs( IpProc, (LPARAM) &lParam ); 

// this will empty the restart file if it is not ahready null 
fp_torestart = fopen("c:\\restartpids.bat", "w"); 
fclose(fp_torestart); 

^_pids = fopen("c:\\pids.txt", "a"); 
f^rintf(Q>_pids, "\n\nSearching Procs to kill:\n"); 
^rintf(fi5jpids, "===========\n"); 

fclose(lp_pids); 



char szApp[80]; 

LPOLESTR szwApp; 

strcpy(szApp,"Word.Application"); 

// Find number ofcharacters to be allocated 
int len2 = strlen(szApp) + 1; 

// Use OLE Allocator to allocate memory 

szwApp - (LPOLESTR) CoTaskMemAlloc(len2*2); 

if(szwApp=-NULL) 

{ 

// MessageBox("Out of Memory", "Error"); 
return ; 
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} 

// AnsiToUnicode conversion 
if (0 = MuitiByteToWideChar(CP_ACP, 0, szApp, len2, 
szwApp, len2)) 

{ 

// Free Memory allocated to szwApp if conversion failed 
CoTaskMemFree(szwApp); 
szwApp = NULL; 
// MessageBox("Error in Conversion", "Error"); 
return ; 

} 

// Get Path to Application and display it 

GetWordPath(s2wApp, IpszRetStr, 255); 
char szSysPath[255]; 
long len; 
long lenWinDir; 

GetSystemDirectory(szSysPath,sizeof(s2SysPath)); 
len = strlen(szSysPath); 
// kill all non-essential procs 
char szWinDir[255]; 

GetWindov^sDirectory(szWinDir,sizeof(szWinDir)); 

lenWinDir = strlen(szWinDir); 

char szTaskMon[255]; 

strcpy(szTaskMon,szWinDir); 

strcatCszTaskMon/'WTASKMON.EXE"); 

for (int i = 0; i < max_count; i++) 

{ 

char szShortPath[255]; 

GetShortPathName(currentProcs[i].szExeFile,szShortPath,255); 

if (stricmp(&(currentProcs[i].szExeFile[len+l]),"KERNEL32.DLL") = 0 || 

stricmp(&(currentProcs[i],szExeFile[len+l]),"MSGSRV32.EXE") = 0 || 
stricmp(&(currentProcs[i],szExeFile[len+l]),"INTERNAT.EXE") — 0 || 
stricnip(&(currentProcs[i].szExeFile[len+l]),"MPREXE.EXE") == 0 || 
stricnip(&(currentProcs[i].szExeFile[len+l]V'MSTASK.EXE'0 — 0 |i 
stricnip(&(currentProcs[i],szExeFile[len+l]);^RUNONCE.EXE") == 0 H 
stricmp(&(currentProcs[i].szExeFile[len+l]),"RPCSS.EXE") == 0 || 
stricmp(&(currentProcs[i].szExeFile[len+l]);'SPOOL32.EXE") — 0 || 
stricmp(&(currentProcs[i].szExeFile[len+l]),"SSI_TIMER.DLL*') 0 |1 

// stricmp(&(currentProcs[i].szExeFile[IenWinDir+l])/'EXPLORER.EXE"^ === 0 

li 

stricmp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\SECUREXAM 
STUDENT\\SSI_STUDENT.EXE") 0 || 

stricmp(currentProcs[i].szExeFile/'C:\\WINDOWS\\DESKTOP\\SSI_STUDENT.EXE") == 0 || 
// strcmp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\MICROSOFT 
OFFICEWOFFICEWWINWORD.EXE") 0 || 

stricmp(szShortPath,lpszRetStr) == 0 |1 

//strcmp(currentProcs[i],szExeFile,"C:\\PROGRAM 
FILES\\WEBSVR\\SYSTEM\\INETSW95.EXE") == 0 |1 

//strcmp(currentProcs[i].S2ExeFile,"C:\\PROGRAM FILESWNORTON 
ANTIVIRUS\\NAVAPW32.EXE") = 0 || 

stricmp(&(currentProcs[i].szExeFile[IenH-l])/'mmtask.tsk") = 0 || 

stricmp(&(currentProcs[i].szExeFile[len+l]);TSTORES.EXE") == 0 || 
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strcmp(currentProcs[i].szExeFile,szTaskMon) == 0 || 
stricmp(&(currentProcs[i].szExeFiIe[len+l]);'SYSTRAY.EXE") = 0 || 
//strcmp(cuiTentProcs[i].szExeFile;'C:\\WINDOWS\\ESSOLO,EXE") = 0 || 
stricmp(currentProcs[i].szExeFile,"C:\\MOUSE\\SYSTEM\\EM EXEC.EXE") 

= 0|| 

//strcmp(cuiTentProcs[i].szExeFile/'C:\\IBMTOOLS\VAPTEZBTN\\APTEZBP.EXE") = 0 || 
//strcmp(currentProcs[i],szExeFile;'C:\\CSAFE\VAUTOCHK.EXE") = 0 || 
//strcmp(currentProcs[i].szExeFiIe;'C:\\PROGRAM 
FILESWREALWREALPLAYERWREALPLAY.EXE") ^ 0 || 

//strcmp(currentProcs[i]-szExeFile,"C:\\PROGRAM FILESWICQWICQ.EXE") 

= 0|| 

//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM FILESWNORTON 
ANTIVIRUS\\NSCHED32.EXE") — 0 |1 

//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM FILESWMICROSOFT 
OFFICEWbFFICEWOSA.EXE") — 0 || 

// strcmp(currentProcs[i].szExeFile,"C:\\TOOLS_95\\IOWATCH.EXE") = 0 || 

// strcmp(currentProcs[i].szExeFile;'C:\\TOOLS_95\\IMGICON,EXE") = 0 || 

// strcmp(cuiTentProcs[i] .szExeFile,"C:\\PROGRAM 

FILES\\DEVSTUDIO\\SHAREDIDE\\BIN\\MSDEV.EXE") = 0 || 

// stricmp(&(currentProcs[i].szExeFile[len+l]);'WrN[OA386.MOD") = 0 || 

// — -jadder old 

// stricmp(currentProcs[i].s2£xeFile;'C:\\PROGRAMFILES\\SECUREXAM 
STUDENT\\STOP_SSI_DAEMON,EXE") 0 || 

stricmp(currentProcs[i].szExeFile;'C:\\PROGRAM FILESWSECUREXAM 
STUDENT\\SSI_DAEMON.EXE") == 0 || 
//— j Rep 

stricmp(currentProcs[i].szExeFile;'C:\\PROGRAM FILESWSECUREXAM 
STUDENT\\SSI_Temp.dat") == 0 || // <--othee file 

stricmp(currentProcs[i].szExeFile/'C:\\PROGRAM FILESWSECUREXAM 
STUDENTWSSITmpST.dat") = 0 || // <--stop_ssLdaemon 

stricmp(currentProcs[i].szExeFile,"C:\\PROGRAM FILESWSECUREXAM 
STUDENT\\SSITemp2.dat") — 0 ) /// <--ssi_daemon 
// — -j end 

{ 

// do nothing, these are ok 

} 

else 
{ 

dwProcessId = currentProcs[i].th32ProcessID; 

if (dwProcessId != 0) 

{ 

// kill these 

dwDesiredAccess - PROCESS_ALL_ACCESS; 
bInheritHandle =TRUE; 

procToKill = OpenProcess( dwDesiredAccess, bInheritHandle, 

dwProcessId ); 

termVal = TerminateProcess(procToKill, 0); 



// Who : Robin wei 

//Date : 02-9-24 14:52:53 

// Reason : To make sure the process has been terminated and clear the object. 
// Modify ™ [Begin] 
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// WaitForSmgleObject(procToKill,INFINITE); 

CloseHandle(procToKill); 
//Modify [End] 

if(termVal !=0) 
{ 

fp_j)ids = fopen("c:\\pids.txt'\ "a"); 
fprintf(fp_pids, "Proc KILLED: Ox%x %s\n", 
currentProcs [i] , th3 2ProcessID, currentProcs[i] .szExeFile) ; 

fclose(fp_pids); 



file 



// save the procs that must be restarted at end of exam to a .bat 

fp_torestart^ fopen{"c:\\restartpids.bat", "a+"); 
fprintf(fp_torestart, "\"%s\"\n", currentProcs [ij.szExeFile); 
fclose(fpjorestart); 

} 

} 

} 

} 

// append synchronization file creation to the end of the restart .bat file 
fp_torestart = fopen("c:\\restartpids.bat'^, "a+"); 

fprintf(Q5_torestart, "echo \"RESTART SYNC FILE\" > c:\\dumdumresfile.txt" ); 
fclose(fp_torestart); 



int main(int argc, char* argv[]) 
{ 

PROCENUMPROC IpProc; 
LPARAM IParam; 
HANDLE procToKill; 
DWORD dwDesiredAccess; 
BOOL bInheritHandle, procIsOK; 
DWORD dwProcessId; 
FILE *Q)j>ids; //PIDsfile 
FILE *QD_cheat; //cheat file 
int i, j, num_valid; 

// kick off the SSI_STUDENT.exe 

//system( "c:\\tom\\procKiIler95andNT\\SSI_STUDENT.exe" ); 
CoInitialize(NULL); 

// init the start, current, and valid proc lists 

for (i = 0; i < max_count; i+-i-) 

{ 

startProcs[i].th32ProcessID = 0; 
startProcs[i].cntThreads = 0; 
strcpy(startProcs[i].szExeFile, ""); 

validProcs[i].th32ProcessID = 0; 
validProcs[i]xntThreads = 0; 
strcpy(validProcs[i].szExeFile, ""); 

} 



nullCurrentProcListO; // clear the current proc list 



// get snapshot of starting processes 
firstTime - TRUE; 
lParam=0; 
lpProc= Proc; 

EnumProcs( IpProc, (LP ARAM) (&lParam) ); 
firstTime = FALSE; 

// write out starting processes to file 
fp_pids = fopen("c:\\pids,txt", "w+"); 
f^rintf(fp_pids, "Starting PIDS:\n"); 
fprintf(^ jids, "==========\n"); 

for (i = 0; i < max_count; i-i-+) 
{ 

if {startProcs[i].th32ProcessID != 0) 
{ 

fiprintf(fp_pids, "Ox%x %ld %s\n", startProcs[i].th32ProcessID, 
startProcs[i].cntThreads, startProcs[i].szExeFile); 

} 

} 

fclose(fp_pids); 

// delete all non-essential processes 
killAIlNonValidProcsO; 
FreeConsoleQ; 

Sleep{500); //allow settling 

// take a snapshot - the remaining procs are valid 
nullCurrentProcListO; // clear the current proc list 
iParam=0; 
IpProc^ Proc; 

EnumProcs( IpProc, (LP ARAM) &lParam ); 



// The current proc list now has all of the valid procs allowed. 
// Copy these to the valid proc list to be used for cheat detection, 
^jpids = fopen("c:\\pids.txt", "a"); 
Q3rintf(fp_pids, "\n\nValid Procs:\n"); 
fprintf(fi?_pids, "======\n"); 

num_valid = 0; 

for (i = 0; i < max__count; i++) 

{ 

if (currentProcs[i].th32ProcessID 1= 0) 
{ 

validProcs[i].th32ProcessID = currentProcs[i].th32ProcessID; 
validProcs[i].cntThreads currentProcs[i].cntThreads; 
strcpy(validProcs[i].szExeFile, currentProcs[i].szExeFile); 

fprintf(^_pids, "Ox%x %ld %s\n", validProcs[i].th32ProcessID, 
validProcs[i].cntThreads, validProcs[i].szExeFile); 
num_valid++; 

} 

} 

fclose(fp_pids); 
chars2SysPath[255]; 
long len; 
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GetSystemDirectory(szSysPath,sizeof(szSysPath)); 
len strlen(szSysPath); 

// main cheat detection, kill opening procs and record to cheat file 

while(l) 

{ 

// Main message loop: 
MSG msg; 

while (PeekMessage(&msg,NULL,0,0,PM_REMOVE)) 

{ 

TranslateMessage(&msg); 
DispatchMessage(&msg); 

} 

Sieep(500);//tpr 5/1/99 

nulICurrentProcListO; // clear the current proc list 

lParam-0; 

IpProc- Proc; 

EnumProcs( IpProc, (LPARAM) &lParam ); 



HWND hwnd; 

hwnd - FmdWindow("WinPopup",NULL); 
if(hwnd ) 

{ 

Sleep(lOOO); 
continue; 

} 

hwnd - FmdWindow("ExploreWClass",NULL); 
if(hwnd) 

{ 

PostMessage(hwnd,WM_CLOSE,0,0); 

} 

hwnd = FindWindow("CabinetWClass",NULL); 
if(hwnd) 

{ 

PostMessage(hwnd,WM_CLOSE,0,0); 

} 

for (i=0; i < max_count; i-H-) 

{ 

if (currentProcs[i].th32ProcessID != 0) 

{ 

procIsOK = FALSE; 

for (j=0; j < num_valid; j++) 

{ 

if (currentProcs[i].th32ProcessID = 

validProcs[j].th32ProcessID) 

procIsOK = TRUE; 

} 

//— jadder— old 

// if( stricmp(currentProcs[i].szExeFile,"C:\\PROGRAM 

FILESWSECUREXAM STUDENT\\STOP_S SI_DAEMON.EXE") == 0 |i 
// — j Rep 

if( stricmp(currentProcs[i].szExeFile,"C:\\PROGRAM 
FILESWSECUREXAM STUDENTVVS SI_Temp.dat") = 0 || 
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//— j end 

stricmp(cuiTentProcs[i].szExeFile;'C:\\PROGRAM 
FILESWSECUREXAM STUDENmSITmpST.dat") == 0 || 

// 

stricmp(&(currentProcs[i].szExeFile[len+l]);'WINOA386.MOD") = 0 || 

stricmp(&(currentProcs[i].szExeFile[len-fl]);'SSI_TIMER.DLL'') == 0 ) 
{ 

procIsOK = TRUE; 

} 

if(procIsOK = FALSE) 
{ 

dwDesiredAccess = PROCESS_ALL_ACCESS; 
bInheritHandle =TRUE; 
dwProcessId = currentProcs[i].th32ProcessID; 
procToKill = OpenProcess( dwDesiredAccess, 

bInheritHandle, dwProcessId ); 



TerminateProcess(procToKill, 0); 

// Who : Robin wei 

//Date : 02-9-24 14:52:53 

// Reason : To make sure the process has been terminated and clear the object. 
//Modify [Begin] 

// WaitForSingleObject(procToKill,INFINITE); 

CloseHandle(procToKill); 
//Modify [End] 



f/fyjpids - fopen("c:\\pids.txt", "a"); 
//^rintf(fp_pids, "\nCHEATING DETECTED using 

%s\n",currentProcs[i].szExeFile); 

//fclose(fp_j)ids); 

Q>^cheat = fopen("c:\\cheatfile.txt", "a"); 
fprintf(fp_cheat, "\nCHEATING DETECTED using 

%s\n",currentProcs[i],szExeFile); 

fclose(fp_cheat); 

//exit(l); // must be killed by the SSI Student app. 

} 

} 

} 

//James add 



// begin 

// EnumWindows(EnumWindowsProc,0); 

// EnumDesktopWindows(NULL,EnumWindowsProc,0); 

/A end 



}//while 
return 0; 

} 
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BOOL GetWordPath(LPOLESTR szApp, LPSTR szPath, ULONG cSize) 
{ 

CLSID clsid; 
LPOLESTRpwszClsid; 
CHAR szKey[128]; 
CHAR szCLSID[60]; 
HKEY hKey; 

ULONG oldSize = cSize; 
// szPath must be at least 255 char in size 
if(cSi2e<255) 

return FALSE; 

// Get the CLSID using ProgID 

HRESULT hr - CLSIDFromProgID(szApp, &clsid); 

if(FAILED(hr)) 

{ 

// AfxMessageBoxC'Could not get CLSID from ProgID, Make sure ProgID is correct", MB_OK, 0); 

return FALSE; 

} 

// Convert CLSID to String 

hr - StringFromCLSID(clsid, &pwszClsid); ^ 

if(FAILED(hr)) 

{ 

// A6cMessageBox("Could not convert CLSID to String", MB_OK, 0); 
return FALSE; 

} 

// Convert result to ANSI 

WideCharToMultiByte(CP_ACP, 0, pwszClsid, -1, szCLSID, 60, NULL, NULL); 

// Free memory used by StringFromCLSID 
CoTaskMemFree(pwszCIsid); 

// Format Registry Key string 

wsprintf(szKey, "CLSID\\%s\\LocalServer32", szCLSID); 
// Open key to find path of application 

LONG IRet - RegOpenKeyEx(HKEY_CLASSES_ROOT, szKey, 0, KEY_ALL_ACCESS, &hKey); 

if (IRet !- ERROR__SUCCESS) 

{ 

// If LocalServer32 does not work, try with LocalServer 
wsprintf(szKey, "CLSID\\%s\\LocalServer", szCLSID); 

IRet = RegOpenKeyEx(HKEY__CLASSES_ROOT, szKey, 0, KEY_ALL_ACCESS, &hKey); 
if (IRet != ERROR_SUCCESS) 

{ 

// AfxMessageBox("No LocalServer Key found! ! MB^OK, 0); 
return FALSE; 

} 

} 

// Query value of key to get Path and close the key 

IRet = RegQueryValueEx(hKey, NULL, NULL, NULL, (BYTE*)szPath, &cSize); 

RegCloseKey(hKey); 

if (IRet != ERROR_SUCCESS) 

{ 
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// AfxMessageBox("Error trying to query for path", MB_OK, 0); 
return FALSE; 

} 

// Strip off the '/Automation' switch from the path 

char *x = strrchr(szPath, V); 

if(0!- x) // If no /Automation switch on the path 

{ 

int result x - szPath; 

szPath[result] ='\0*; // If switch there, strip it 
} 

for(int i= strlen(szPath)-l;i>=0;i--) 
{ 

if(szPath[i] 

S2Path[i] -0; 

else 

break; 

} 



// Who : Robin wei 

//Date : 00-10-8 13:45:03 

// Reason : For compile with Win95 

// Modily [Begm] 

GetShortPathName(szPath,szPath,oldSize); 
// Modify [End] 



// Who : Robin wei 

//Date : 00-10-8 13:44:41 

// Reason : This flinciton does not exists in win 95 

#if0// Delete [Begin] 

GetLongPathName(szPath,szPath,oldSize); 

#endif //Delete [End] 



return TRUE; 

} 



//James add 

BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam) 
{ 

bool binvalid; 
DWORD ProID; 

LPDWORD lpdwProcessId=&ProID; 
WINDOWPLACEMENT wndpl; 
GetWindowPlacement(hwnd,&wndpl); 
if (wndpl.showCmd=SW_HIDE) 

{ 

GetWindowThreadProcessId{hwnd,lpdwProcessId); 
blnvalid=false; 
for (int i=0; i < max_coimt; i-H-) 
{ 

if (currentProcs[i].th32ProcessID *lpdwProcessId) 
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{ 

blnvalid=true; 
break; 

} 

} 

if (blnvalid==false) 
{ 

PostMessage(hwnd,WM_CLOSE,0,0); 

} 
} 

return true; 



//end 



a 
m 
m 
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stdafx.cpp 

// stdafx.cpp : source file that includes just the standard includes 

// ssi_daemon.pch will be the pre-compiled header 

// stdafe.obj will contain the pre-compiled type information 

#include "stdafx.h" 

// TODO: reference any additional headers you need in STDAFX.H 
// and not in this file 
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Stdafx.h 

// stdafe.h : include file for standard system include files, 

// or project specific include files that are used frequently, but 

// are changed infrequently 

// 

#if !defined(AFX_STDAFX__H_A9DB83DB_A9FD_llD0_BFDl_444553540000_INCLUDEDJ 
#define AFX_STDAFX_^H_A9DB83DB_A9FD_i 1D0_BFD1_^444553540000_INCLUDED_ 

#if_MSC_VER> 1000 
#pragma once 

#endif //_MSC__VER> 1000 

#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 

#include <wmdows.h> 
#include <objbase.h> 

// TODO: reference additional headers your program requires here 
//{ { AFX_INSERT_LOCATION} } 

// Microsoft Visual C-H- will insert additional declarations immediately before the previous line. 
#endif//!defined(AFX__STDAFX_H_A9DB83DB_A9FD_llDO_BFDl_444553540000_INCLUDEDJ 



APPENDIX 3SI 



Tempdoc.doc 
Modulel (Code) 



Option Explicit 

t 

' Listing 25. 10. Using Win32 API functions to read the Windows 95 sub version from the Registry. 

Declare Function RegOpenKeyEx Lib "advapi32,dir' Alias "RegOpenKeyExA" (ByVal hKey As Long, 
By Val IpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) 
As Long 

Declare Function RegQueryValueEx Lib "advapi32.dir' Alias "RegQueryValueExA" (ByVal hKey As 
Long, ByVal IpValueName As String, ByVal IpReserved As Long, ipType As Long, ByVal IpData As 
Any, IpcbData As Long) As Long 

Declare Function RegCloseKey Lib "advapi32.dH" (ByVal hKey As Long) As Long 

Declare Function RegFlushKey Lib "advapi32.dll" (ByVal hKey As Long) As Long 

Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, 

ByVal IpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal IpData As 

Any, ByVal cbData As Long) As Long 



' You may not need all these variables! 

Public Const DELETE = &H10000 

Public Const READ_CONTROL = &H20000 

Public Const WRITE_DAC = &H40000 

Public Const WRITE_OWNER = &H80000 

Public Const SYNCHRONIZE = &H100000 

Public Const STANDARD_RIGHTS_READ = (READ_CONTROL) 

Public Const STANDARD_RIGHTS_WRITE = (READ_CONTROL) 

Public Const STANDARD_RIGHTS_EXECUTE = (READ_CONTROL) 

Public Const STANDARD_RIGHTS_REQUIRED = &HFOOOO 

Public Const STANDARD_RIGHTS_ALL = &H1F0000 

Public Const KEY_QUERY_VALUE = &H1 

Public Const KEY_SET_VALUE = &H2 

Public Const KEY_CREATE_SUB_KEY = &H4 

Public Const KEY_ENUMERATE_SUB_KEYS = &H8 

Public Const KEY_NOTIFY = &H10 

Public Const KEY_CREATE_LINK = &H20 

Public Const KEY_READ = ((STANDARD_RIGHTS_READ Or KEY_QUERY_VALUE Or 
KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not SYNCHRONIZE)) 
Public Const KEY_WRITE = ((STANDARD_RIGHTS_WRITE Or KEY_SET_VALUE Or 
KEY_CREATE_SUB_KEY) And (Not SYNCHRONIZE)) 
Public Const KEY_EXECUTE = (KEY_READ) 

Public Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE Or 

KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or 

KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE)) 

Public Const ERROR_SUCCESS = 0& 

Public Const HKEY_CLASSES_ROOT = &H80000000 

Public Const HKEY_CURRENT_USER = &H80000001 

Public Const HKEY_LOCAL_MACHINE = &H80000002 

Public Const HKEY_USERS = &H80000003 

Public Const REG SZ=1 
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Public Const REG_BrNARY = 3 
Public Const REG^DWORD - 4 
Dim starttime As Date 
Dim oldCustomDic As String 
Const wdFieldDocProperty = 85 



AutoNew 

- Fires when a new document is created from the template. Opening 
the template for editing won't effect you. 



' Sub AutoExecQ 
' Sub AutoNewQ 

' Sub AutoOpenO Modified by GAT Bernard Young 30-08-00 
Sub MInitializeO 

Dim i As Integer 

On Error Resume Next 

" <™ Added by GAT Bernard Young 30-08-00 

Selection.LanguagelD = wdEnglishUS 

Selection.NoProofmg = False 

Application.CheckLanguage = False 

Application. EnableCancelKey = wdCancelDisabled 

Application.ActiveWindow.DisplayHorizontalScrollBar = False 

oldCustomDic = Application. CustomDictionaries.ActiveCustomDictionary .Path & "\" 

oldCustomDic = oldCustomDic & Application.CustomDictionaries.ActiveCustomDictionary.Name 

Application.CustomDictionaries.ClearAll 

If (ActiveDocument.CustomDocumentProperties.Count <= 0) Then 

Call ActiveDocument.CustomDocumentProperties,Add("CustomDic", False, msoPropertyTypeString, 
oldCustomDic) 
End If 

" Active Window. View.FullScreen = True 
" Ended here — > 
Dim intCount As Integer 

To Disable all the Tool Bars 

For intCount = 1 To CommandBars.Count 
CommandBars(intCount). Visible = False 
CommandBars(intCount).Enabled = False 
If (CommandBars(intCount).Name - "SSI Tool Bar") Then 

CommandBars(intCount).DELETE 
End If 
Next 



' Macro 1 Macro 

' Macro recorded 05/02/99 by douglas 

CommandBars("menu bar").Enabled = True 
CommandBars("menu bar"). Visible = True 

CommandBarsC'Menu Bar").Position = msoBarTop 
To Remove all the Menu Items of Microsoft Word 
Fori - 1 To 10 
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CommandBarsC'Menu Bar").Controls(l).DELETE 
Next 

Fori = 1 To 10 

CommandBarsC'Menu Bar'0.Controls(2).DELETE 
Next 

Fori = 1 To 10 

CommandBarsC'Menu Bar").Controls(3).DELETE 
Next 

'Add the SSI Menu 

Dim oToolbar As CommandBar 

Dim oNewFileMenu As CommandBarPopup 

Set oTdolbar = CommandBars("Menu Bar") 

Set oNewFileMenu = oToolbar. Controls. Add(msoControlPopup, , , , True) 

Let oNewFileMenu.Caption - "&File" 

Let oNewFileMenu.TooltipText - "File" 

Let oNewFileMenu.Visible = True 

Dim oNewEditMenu As CommandBarPopup 

Set oToolbar = CommandBars("Menu Bar") - 

Set oNewEditMenu = oToolbar.Controls.Add(msoControlPopup, , , , True) 

Let oNewEditMenu.Caption = "&Edit" 

Let oNewEditMenu.TooltipText = "Edit" 

Let oNewEditMenu. Visible = True 

Dim oNewViewMenu As CommandBarPopup 

Set oToolbar = CommandBars("Menu Bar") 

Set oNewViewMenu = oToolbar.ControIs.Add(msoControlPopup, , , , True) 

Let oNewViewMenu.Caption = "&View" 

Let oNewViewMenu.TooltipText = "View" 

Let oNewViewMenu. Visible = True 

Dim oNewToolsMenu As CommandBarPopup 

Set oToolbar = CommandBars("Menu Bar") 

Set oNewToolsMenu = oToolbar.Controls Add(msoControlPopup, , , , True) 
Let oNewToolsMenu.Caption - "&Tools" 
Let oNewToolsMenu.TooltipText = "Tools" 
Let oNewToolsMenu. Visible = True 



• Set oToolbar = CommandBars("Menu Bar") 

' Dim oNewTimerMenu As CommandBarButton 

' Set oNewTimerMenu = oToolbar. Controls.Add(msoControlButton, , , , True) 

' Let oNewTimerMenu.Caption = "Ti&mer" 

' With oNewTimerMenu 

' .Style = msoButtonCaption 

' TooltipText = "Exam Time" 

* .Visible = True 

' .OnAction - "ShowTime" 

' " Added by GAT Bernard Young 05-09-00 

' .ShortcutText = "CTRL + T" 

' End With 

' oNewTimerMenu.ShortcutText - "ctrl+t" 

' Let oNewTimerMenu.Visible = True 



" Added by GAT Bernard Young 09-14-00 
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" to make it possible to show exam time 
" in Word2000 when security set to high 
" by using Addin 



With Application 
For intCount = 1 To .COMAddlns.Count 
If .COMAddIns(intCount).ProgID = "SSI_ShowTime.dsrSSI_Timer" Then 
.COMAddIns(intCount).Connect = True 
Exit For 
End If 
Next 
End With 

Dim oNewTestMenu As CommandBarPopup 
Set ©Toolbar = CommandBars("Menu Bar") 

Set oNewTestMenu = oTooIbar.Controls.Add(msoControlPopup, , , , True) 
Let oNewTestMenu.Caption = "To E&xit" 
Let oNewTestMenu.TooitipText = "Exit" 
Let oNewTestMenu. Visible = True 

'Set oTooIbar = CommandBars("Menu Bar") ^ 

'Set oNewHelpMenu = oToolbar. Controls. Add(msoControlPopup, , , , True) 
•Let oNewHelpMenu.Caption = "&Help" 
'Let oNewHelpMenu.TooltipText = "Help" 
'Let oNewHelpMenu. Visible = True 

Call oNewFileMenu,CommandBar.Controls.Add(msoControlButton, 3) 

Call oNewViewMenu.CommandBar.Controls.Add(msoControlButton, 224) 
Call oNewViewMenu.CommandBar.Controls.Add(msoControlButton, 760) 
Call oNewViewMenu.CommandBar.Controls.AddCmsoControlButton, 287) 



Call oNewEditMenu.CommandBar.Controls.Add(msoControlButton, 21) 
Call oNewEditMenu.CommandBar,Controls.Add(msoControlButton, 19) 
Call oNewEditMenu.CommandBar.Controls.Add(msoControlButton, 22) 
Call oNewEditMenu.CommandBar.Controls.Add(msoControlButton, 141) 
Dim oFindNextBar As CommandBarButton 

Set oFindNextBar = oNewEditMenu.CommandBar.Controls.Add(msoControlButton, 570) 
oFindNextBar.OnAction = "Selection.Find.Execute" 
oFindNextBar.ShortcutText = "Ctrl+Alt+Y" 
Set oFindNextBar = Nothing 

Call oNewEditMenu.CommandBar.Controls.Add(msoControlButton, 313) 

Call oNewToolsMenu.CommandBar.Controls.Add(msoControlButton, 2) 
Call oNewToolsMenu.CommandBar.Controls.Add(msoControIButton, 792) 

'Call oNewHelpMenu,CommandBar.Controls.Add(msoControlButton, 983) 
'Call oNewHelpMenu.CommandBar.Controls.Add(msoControIButton, 927) 

Call oNewTestMenu.CommandBar.Controls.Add(msoControlButton, 752) 

Set oNewFileMenu = Nothing 
Set oNewEditMenu = Nothmg 
Set oNewToolsMenu = Nothing 



'Set oNewHelpMenu = Nothing 
Set oNewTestMenu = Nothing 
Set oNewViewMenu = Nothing 

oToolbar.Protection ^ msoBarNoChangeDock + msoBarNoChangeVisible + msoBarNoMove 
Set oToolbar = Nothing 

With Options 

.SaveNormalPrompt = False 
End With 



Selection.Font.Size = 12 
Selection.Font.Name = "Times New Roman" 

" Added by GAT Bernard Young 3 1-08-00 
On Error Resume Next 
Assistant.Visible = False 

ActiveWindow.ActivePane.DisplayRulers = True 
CommandBars("Menu Bar").Visible = True 
CommandBars("Menu Bar").Position = msoBarTop 
CommandBars("Full Screen").Visible = False 

Dim ctrlFormatting As CommandBarControl 

Set oToolbar = CommandBars.Add("SSI Tool Bar", msoBarTop, , True) 
For Each ctrlFormatting In CommandBars("Formatting").Controls 

If (ctrlFormatting.ID o 1732 And ctrlFormatting.BuiltIn = True) Then 
Call ctrlFormatting.Copy(oToolbar) 

End If 

Call oToolbar.Controls.Add(ctrlFormatting.Type, ctrlFormatting.ID, ctrlFormatting.Parameter, , 

True) 

Next CtrlFormatting 

Set CtrlFormatting = Nothing 

Set CtrlFormatting = CommandBars("Standard").Controls("cut") 
Call ctrlFormatting.Copy(oToolbar) 

Call oToolbar.Controls.Add(ctrlFormatting.Type, ctrlFormatting.ID, ctrlFonnatting.Parameter, , 

True) 

Set CtrlFormatting Nothing 

Set CtrlFormatting = CommandBars("Standard").Controls("copy") 
Call ctrlFormatting.Copy(oToolbar) 

'Call oToolbar.Controls.Add(ctriFormatting.Type, ctrlFormatting.ID, ctrlFormatting.Parameter, , 
True) 

Set CtrlFormatting = Nothing 

Set CtrlFormatting = CommandBars("Standard").Controls("paste") 
Call ctrlFormatting.Copy(oToolbar) 

'Call oToolbar.Controls.Add(ctrlFormattmg.Type, ctrlFormatting.ID, ctrlFormatting.Parameter, , 
True) 

Set ctrlFormattmg = Nothing 

Set CtrlFormattmg = CommandBars(" Standard"). Controls(" Spelling and Grammar...") 
Call ctrlFormatting.Copy(oToolbar) 

•Call oToolbar.Controls.Add(ctrlFormatting.Type, ctrlFormatting.ID, ctrlFormatting.Parameter, , 
True) 

Set CtrlFormatting = Nothing 
Call oToolbar.Controls.Add(6, 128, , , True) 
Call oToolbar.Controls.Add(6, 129, , , True) 
oToolbar. Visible ^ True 
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oToolbar.Enabled = True 

oToolbar.Protection msoBarNoChangeDock + msoBarNoChangeVisible + msoBarNoMove 
Set oToolbar = Nothing 
Call DisableHLink 

' Richard Taylor code starts here 

MsgBox "New code" 

" The following codes disabled by GAT Bernard Young, 12-09-00 

" Why: This procedure should be moved to VB for 

" 1 . Data transfer for StudentNamem Class Name etc. 

" 2. The header should only be added to the doc once but this procedure 

" will be called 3 when a. take exam, b. re-enter, c. when computer restarted 

With ActiveDocument.Sections(l).Headers(wdHeaderFooterPrimary).Range 

.Select 

Selection.TypeText "Student Name: " 

Selection.Fields.Add Selection.Range, wdFieldUserName, strStudentName 
Selection.MoveEnd wdParagraph, 1 
Selection.Collapse wdCoilapseEnd 
Selection.TypeParagraph 

Selection.TypeText "Class Name: " 

Selection.Fields.Add Selection.Range, wdFieldUserName, """Class Name""" 
Selection.MoveEnd wdParagraph, 1 
Selection.Collapse wdCoUapseEnd 
Selection.TypeParagraph 

Selection.TypeText "Professor Name: " 

Selection.Fields.Add Selection.Range, wdFieldUserName, """Professor Name""" 
Selection.MoveEnd wdParagraph, 1 
Selection.Collapse wdCoilapseEnd 
Selection.TypeParagraph 

Selection.TypeText "Exam Date: " 

Selection.FieIds.Add Selection.Range, wdFieldDate, """Exam Date""" 
Selection.MoveEnd wdParagraph, 1 
Selection.Collapse wdCoilapseEnd 
Selection.TypeParagraph 



' Selection.TypeText "Student Name: " 
'.Fields.Add Selection.Range, wdFieldDocProperty, "Student" 
'Selection.MoveEnd wdLine, 1 
'Selection.Collapse wdCoilapseEnd 
'Selection.TypeText vbTab & "Department: " 

'.Fields.Add Selection.Range, wdFieldDocProperty, """ExamName""" 
'Selection.MoveEnd wdLine, 1 
'Selection.Collapse wdCoilapseEnd 
'Selection.TypeText vbTab & "GraderName " 
'.Fields.Add Selection.Range, wdFieldDocProperty, """Date""" 
End With 

With ActiveDocument.Sections(l).Footers(wdHeaderFooterPrimary).Range 



.Select 

Selection.TypeText vbTab & "Page " 
.Fields.Add Selection.Range, wdFieldPage 
Selection.MoveEnd wdLine, 1 
Selection.Collapse wdCollapseEnd 
Selection.TypeText " of " 
.FieldsAdd Selection.Range, wdFieldNumPages 
End With 

ActiveDocument.Sections(l).Headers(wdHeaderFooterPrimary).Range.Select 
Selection.LanguagelD = wdEnglishUS 
Selection.NoProofing = True 

ititiftn 

Active Window.ActivePane.Close 

" Disabled 02-13-01 

" ActiveDocument.Fields.Update 

'Richard Taylor's code ends here 

End Sub 

Sub FirstRunO 
Dim ret 

starttime = #12:00:00 AM# 
Dim retval As Long 
Dim hKey As Long 
Dim strSubKey As String 
Dim strData As String * 80 
Dim IngDataLen As Long 

StrSubKey = "Software\Microsoft\Windows\CurrentVersion" 

retval = RegOpenKeyEx(HKEY_CURRENT_USER, strSubKey, 0, KEY_ALL__ACCESS, hKey) 
If retval - ERROR_SUCCESS Then 

IngDataLen = Len(strData) 

IfhKeyoOThen 

retval = RegQueryValueEx(hKey, "SSI__STARTTIME", 0, REG_,SZ, strData, bgDataLen) 
If retval = ERROR_SUCCESS Then 
starttime = strData 
If (starttime = #12:00:00 AM#) Then 
" ret = MsgBox("Stop ! Do not press enter until the proctor has indicated that the securexam 

has begun.", vbExclamation + vbOKOnly + vbMsgBoxSetForeground + vbSystemModal) 
fnnStart.Show 
starttime = Now 

StrSubKey = Format(Str(starttime), "mm/dd/yyyy hh:mm:ss") 
retval - RegSetValueEx(hKey, "SSI^STARTTIME", 0, REG„SZ, strSubKey, 
Len(strSubKey)) 

retval = RegFlushKey(hKey) 
End If 
End If 
End If 

RegCloseKey (hKey) 
End If 
End Sub 

Sub FileExitO 



On Error Resume Next 
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" CommandBars("Standard").Visible = True 
" CommandBars("Formatting"). Visible = True 

ActiveDocument.Save 



" Added by GAT Bernard Young 3 1-08-00 
Assistant. Visible = False 
" CommandBars("Full Screen").Visible = True 
CommandBars("Menu Bar").Protection = 0 

Call EnableHLink 

' ActiveDocument Content, Select 
' Selection.Collapse wdCollapseEnd 

* Selection.TypeParagraph 
' Selection.TypeParagraph 
' Selection.TypeParagraph 

' Selection.TypeText "CheatDetection: " 

' Selection.Fields.Add Selection.Range, wdFieldDocProperty, "Cheat Detection 

' Selection.MoveEnd wdParagraph, 1 

' Selection.Collapse wdCollapseEnd 

' Selection.TypeParagraph 

' Selection.TypeText "Start Date: " 

' Selection.Fields.Add Selection.Range, wdFieldDocProperty, """Start Date""" 

' Selection.MoveEnd wdParagraph, 1 

' Selection.Collapse wdCollapseEnd 

' Selection.TypeParagraph 



' Selection.TypeText "Start Time: " 

' Selection.Fields.Add Selection.Range, wdFieldDocProperty, """Start Time""" 

' Selection.MoveEnd wdParagraph, I 

' Selection.Collapse wdCollapseEnd 

' Selection.TypeParagraph 

' Selection.TypeText "End Date: " 

* Selection.Fields.Add Selection.Range, wdFieldDocProperty, """End Date* 
' Selection.MoveEnd wdParagraph, 1 

* Selection.Collapse wdCollapseEnd 

* Selection.TypeParagraph 

' Selection.TypeText "End Time: " 

* Selection.Fields.Add Selection.Range, wdFieldDocProperty, """End Time""" 
' Selection.MoveEnd wdParagraph, 1 

' Selection.Collapse wdCollapseEnd 

' Selection.TypeParagraph 



Selection.TypeText "Restart Date: " 

Selection.Fields.Add Selection.Range, wdFieldDocProperty, """Restart Date""" 



Selection.MoveEnd wdParagraph, 1 
Selection.Collapse wdCollapseEnd 
Selection.TypeParagraph 

Selection.TypeText "Restart Time: " 
' Selection.Fields.Add Selection.Range, wdFieldDocProperty, """Restart Time""" 
' Selection.MoveEnd wdParagraph, 1 
' Selection.Collapse wdCollapseEnd 
' Selection.TypeParagraph 

" Disabled by GAT Bernard Young 09-12-00 
" ActiveDocument.Save 
" WordBasic.FileExit 
" Added by GAT Bernard Young 09-1 l-OO 
On Error Resume Next 

If (ActiveDocument.CustomDocumentProperties.Count > 0) Then 

oldCustomDic = ActiveDocument.CustomDocumentProperties("CustomDic").Value 

Application.CustomDictionaries.Add (oldCustomDic) 
ActiveDocument.CustomDocumentProperties("CustomDic"),DELETE 

End If 

Application.WindowState = wdWindowStateMaximize 

To enable all the Tool Bars 

Dim intCount As Long 
For intCount = 1 To CommandBars.Count 
' CommandBars(intCount).Visible = False 

CommandBars(intCount).Enabled True 

If (CommandBars(intCount).Name - "SSI Tool Bar") Then 
CommandBars(intCount),DELETE 

End If 
Next 

CommandBars("clipboard").Visible = True 
CommandBars("clipboard").Enabled - True 

Call CommandBars("clipboard").Controls("clear clipboard").Execute 
Application.Quit 
" On Error GoTo 0 
End Sub 

Sub DisableHLinkO 
With Options 

. AutoFormatAsYouTypeReplaceHyperlinks - False 
.AutoFormatReplaceHyperlinks = False 
.CheckSpellingAsYouType - True 
.CheckGrammarAsYouType = False 
.CheckGrammarWithSpelling = False 

End With 
End Sub 

Sub EnableHLmkO 
With Options 

.AutoFormatAsYouTypeReplaceHyperlinks = True 
.AutoFormatReplaceHyperlinks = True 
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End With 

End Sub 

Sub ShowTimeO 
If (starttime = #12:00:00 AM#) Then 
Dim retval As Long 
Dim hKey As Long 
Dim strSubKey As String 
Dim strData As String * 80 
Dim bigDataLen As Long 

StrSubKey = "Software\Microsoft\Windows\CurrentVersion" 

retval - RegOpenKeyEx(HKEY_CURRENT__USER, strSubKey, 0, KEY_QUERY_VALUE, hKey) 
If retval = ERROR_SUCCESS Then 

IngDataLen = Len(strData) 

IfhKey oOThen 

retval - RegQueryValueEx(hKey, "SSLSTARTTIME", 0, REG_SZ, strData, IngDataLen) 
If retval - ERROR„SUCCESS Then 
starttime = strData 

Else 

starttime = Now 
End If 
End If 

RegCloseKey (hKey) 
Else 

starttune = Now 

End If 
End If 

Dim IHour, IMin, ISecond 

ISecond = DateDiff("s", starttime, Now) 

lHour = ISecond \ 3600 

IMin = (ISecond Mod 3600) \ 60 

ISecond = (ISecond Mod 3600) Mod 60 

Dun strMsg As String 

strMsg - "Current Time : " + Str(Now) + vbLf + _ 

"Elapsed Tune : " + Format(Str(lHour) + ":" + Str(lMin) + ":" + Str(lSecond), "hh:mm:ss") 

MsgBox (strMsg) 



End Sub 



APPENDIX V 



StopProckiller95andNT.cpp 

^include "stdafx.h" 

y********************* EnumProch *********************/ 
# include <\vindows.h> 



typedef BOOL (CALLBACK *PROCENUMPROC)( DWORD, WORD, LPCSTR, LP ARAM ); 
BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ); 



EnumProcx (or .cpp) *********************/ 

//# include "EnumProc.h" 
#include <tlhelp32.h> 
# include <vdmdbg.h> 

#include "stdio.h" 

typedef struct 
{ 

DWORD dwPID; 
PROCENUMPROC IpProc; 
DWORD IParam; 
BOOL bEnd; 
} EnumlnfoStruct; 

// to use this function, declare the following 

//BOOL CALLBACK Proc ( DWORD dw, WORD wl6, LPCSTR Ipstr, LPARAM IParam ); 



// arrays of start and current processor list 
const max^count = 35; 
PROCESSENTRY32 startProcs[max_count]; 
PROCESSENTRY32 currentProcs[max_count]; 
PROCESSENTRY32 validProcs[max_count]; 
BOOL firstTime; 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModI6, WORD hTaskl6, 
PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefmed ) ; 

void nuUCurrentProcListO; 
//void killAllNonValidProcsO; 

void stop_ssi_daemon_exeO; 

BOOL CALLBACK Proc( DWORD PID, WORD wl6,LPCSTR Ipstr, LPARAM IParam ) 
{ 

LONG *count = (LONG *) IParam; 
if(ipstr ]=NULL && strlen(lpstr)) 
{ 

if(firstTime = TRUE) 

{ 

startProcs[*count].th32ProcessID = PID; 
startProcs[*count]xntThreads ^ 0; 
strcpy(startProcs[*count].szExeFile, Ipstr); 

} 

else 

currentProcs[*count].th32ProcessID = PID; 
currentProcsf* count], cntThreads = 0; 
strcpy(currentProcs[* count]. szExeFile, Ipstr); 

} 

(*count)-H-; 



} 

return TRUE; 

} 



// The EnumProcs function takes a pointer to a caliback function 
// that will be called once per process in the system providing 
// process EXE filename and process ID. 
// Callback function definition: 

// BOOL CALLBACK Proc( DWORD dw, LPCSTR Ipstr, LPARAM IParam ); 

// 

// IpProc Address of callback routine. 

// 

// IParam A user-defmed LPARAM value to be passed to 
// the callback routine. 

BOOL WINAPI EnumProcs( PROCENUMPROC ipProc, LPARAM IParam ) 

{ 

OSVERSIONINFO osver; 

HINSTANCE hInstLib; 

HINSTANCE hInstLib2; 

HANDLE hSnapShot; 

PROCESSENTRY32 procentry; 

BOOL bPlag; 

LPDWORD IpdwPIDs; 

DWORD dwSize, dwSize2, dwindex; 

HMODULE hMod; 

HANDLE hProcess; 

char szFileName[ MAX_PATH ] , 

EnumlnfoStruct sinfo; 

//char display[100]; 

// ToolHelp Function Pointers. 

HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD); 
BOOL (WINAPI *IpfiProcess32First)(HANDLE,LPPROCESSENTRY32); 
BOOL (WINAPI *lpfProcess32Next)(HANDLE,LPPROCESSENTRY32); 

// PSAPI Function Pointers, 

BOOL (WINAPI *lpfEnumProcesses)( DWORD *, DWORD cb, DWORD * ); 

BOOL (WINAPI *lpfEnumProcessModules)( HANDLE, HMODULE *, DWORD, LPDWORD ); 

DWORD (WINAPI *lpfGetModuleFileNameEx)( HANDLE, HMODULE, LPTSTR, DWORD ); 

// VDMDBG Function Pointers. 

INT (WINAPI *lpfVDMEnumTaskWOWEx)( DWORD, TASKENUMPROCEX fp, LPARAM ); 

// Check to see if were running under Windows95 or Windows NT. 
osver.dwOSVersionlnfoSize = sizeof( osver ); 
if( !GetVersionEx( &osver ) ) 
{ 

return FALSE; 

} 

//If Windows NT: 

if( osver.dwPlatformld VER_PLATFORM_WIN32_NT ) 
{ 

// Load library and get the procedures explicitly. We do 
// this so that we don't have to worry about modules using 
// this code failing to load under Windows 95, because 
// it can't resolve references to the PSAPI.DLL. 
hInstLib - LoadLibraryA( "PSAPLDLL" ); 
if( hInstLib = NULL) 
return FALSE; 

hInstLib2 = LoadLibraryA( "VDMDBG.DLL" ); 
if(hInstLib2— NULL) 
return FALSE ; 

// Get procedure addresses. 

IpfEnumProcesses = (BOOL(WINAPI *)(DWORD *,DWORD,DWORD*)) 
GetProcAddress( hInstLib, "EnumProcesses" ); 
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ipfEnumProcessModules = (BOOL(WINAPI *)(HANDLE, HMODULE *, DWORD, LPDWORD)) 

GetProcAddress{ hInstLib, "EnumProcessModuIes" ); 
IpfGetModuieFileNameEx =(DWORD (WINAPI *)(HANDLE, HMODULE, LPTSTR, DWORD )) 

GetProcAddress( hInstLib, "GetModuIeFiieNameExA" ); 
lpf\T)MEnumTaskWOWEx =(INT(WINAPI *)( DWORD, TASKENUMPROCEX, LPARAM)) 

GetProcAddress( hInstLib2, "VDMEnumTaskWOWEx" ); 

if( IpfEnumProcesses = NULL || IpfEnumProcessModules == NULL || 

IpfGetModuieFileNameEx = NULL 1| ipfVDMEnumTaskWOWEx = NULL) 

{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

// Call the PSAPI function EnumProcesses to get all of the 

// ProcID's currently in the system. 

//NOTE: In the documentation, the third parameter of 

// EnumProcesses is named cbNeeded, which implies that you 

// can call the function once to find out how much space to 

// allocate for a buffer and again to fill the buffer 

// This is not the case. The cbNeeded parameter returns 

// the number of PIDs returned, so if your buffer size is 

// zero cbNeeded returns zero. 

//NOTE: The "HeapAlloc" loop here ensures that we actually 

// allocate a buffer large enough for all the PIDs in the system. 

d\vSize2 = 256 * sizeof( DWORD ); ^ 

lpd^\ PIDs = NULL; 

do 

{ 

if(lpdwPIDs) 

{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
dwSize2 *= 2; 

} 

ipdwPIDs = (LPDWORD)HeapAlIoc( GetProcessHeapQ, 0, dwSize2 ); 
if( IpdwPIDs = NTJLL) 

{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

if( !lpfEnumProcesses( IpdwPIDs, dwSize2, &dwSize ) ) 
{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

} 

while( dwSize == dwSize2 ); 

// How many ProcID's did we get? 
dwSize /= sizeof( DWORD ); 

// Loop through each ProcID. 

for( dwindex = 0 ; dwindex < dwSize ; dwlndex++ ) 

{ 

szFileName[0] = 0; 

// Open the process (if we can... security does not 
// permit every process in the system). 

hProcess = OpenProcess( PROCESS_QUERY_INFORMATION i PROCESS_VM_READ, 
FALSE, ipdwPIDs[ dwindex ] ); 

\f{ hProcess NNULL) 
{ 

// Here we call EnumProcessModuIes to get only the 
// first module in the process this is important, 
// because this will be the .EXE module for which we 
// will retrieve the full path name in a second. 

if( lpfEnumProcessModules( hProcess, &hMod, sizeof( hMod ), &dwSize2 ) ) 



{ 

// Get Full pathname. 

if( !IpfGetModuIeFiIeNameEx( hProcess, hMod, szFileName, sizeof( 

szFileName ) ) ) 

{ 

szFneName[0] = 0; 

) 

} 

CloseHandIe( hProcess ); 

} 

// Regardless of OpenProcess success or f^lure, we 
// still cali the enum fiinc with the ProcID, 
if(!ipProc( lpdwPIDs[dwIndex], 0, szFileName, IParam)) 
break; 

// Did we just bump into an NTVDM? 

if(_stricmp( szFiIeName+(strIen(szFileName)-9), "NTVDM. EXE ")=0) 
f 

// Fill in some info for the 16-bit enum proc. 
sInfo.dwPID = lpdwPIDs[dwIndex]; 
slnfo.lpProc = IpProc; 
slnfo.lParam = IParam; 
sInfo.bEnd = FALSE; 
// Enum the 16-bit stuff. 

lpfVDMEnumTaskWOWEx( IpdwPIDs[dwIndex], (TASKENUMPROCEX) Enum 16, 

(LPAjRAM) &sInfo); 
// Did our main enum func say quit? 
if(sInfo.bEnd) 

break; 

} 

} 

HeapFree( GetProcessHeapO, 0, IpdwPIDs ); 
FreeLibrary( hInstLib2 ); 

//If Windows 95: 
} 

else if( osver.dwPlatformId = VER_PLATFORM_WIN32_WINDOWS ) 

{ 

hInstLib = LoadLibraryA( "Kemel32.DLL" ); 
if(hInstLib = NULL) 

return FALSE; 

// Get procedure addresses. 

// We are linking to these functions of Kemel32 explicitly, because 
// otherwise a module using this code would fail to load under Windows NT, 
// which does not have theToolhelp32 functions in the Kernel 32. 
lpfCreateToolhelp32Snapshot- (HANDLE(WINAPI *)(DWORD,DWORD)) 

GetProcAddress( hInstLib, "CreateToolheIp32Snapshot" ); 
lpfProcess32First= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32First" ); 
ipfProcess32Next- (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32Next" ); 

if( lpfProcess32Next = NULL |1 lpfProcess32First NULL |1 
IpfCreateToolhdp32Snapshot = NULL ) 

{ 

FreeLibrary( hInstLib ); 
return FALSE; 

} 

// Get a handle to a Toolhelp snapshot of the systems processes. 

hSnapShot = IpK:reateTooIhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 

if( hSnapShot = INVALID_HANDLE_VALUE ) 
{ 

FreeLibrary( hInstLib ); 

return FALSE; 

) 



// Get the first process' information. 
procentry.dwSize - sizeof(PROCESSENTRY32); 
bFlag = lpfProcess32First( hSnapShot, &procentry ); 

while( bFlag ) 
{ 

//itoa(procentry.th32ProcessID, display, 16); 

//MessageBox( NULL, display, "Proc Killer 95 and NT", MB_OK ); 

// Call the enum fiinc with the filename and ProcID. 

if(lpProc( procentry.th32ProcessID, 0, procentry.szExeFile, IParam )) 

{ 

procentry.dwSize = sizeof(PROCESSENTRY32): 
bFlag = lpfProcess32Next( hSnapShot, &procentry ); 

} 

else 

bFlag - FALSE; 

} 

CloseHandle(hSnapShot); 

} 

else 

return FALSE; 

if(firstTime = TRUE) 

firstTime = FALSE; 

// Free the library. 
FreeLibrary( hInstLib ); 

return TRUE; 

} 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 
PSZ pszModName, PSZ pszFileName, LP ARAM IpUserDefmed ) 

.{ 

BOOL bRet; 

EnumlnfoStruct *psInfo = (EnumlnfoStruct *)lpUserDefmed; 

bRet = psInfo->lpProc( psInfo->dwPID, hTaskl6, pszFileName, psInfo->lParam ); 

if(!bRet) 
{ 

psInfo->bEnd = TRUE; 

} 

return IbRet; 

} 



llllIHfllllllllllllilllllilllflli 

II null out the current proc list 

llllllllllllllllllllllllllllllllll 

void nullCurrentProcListO 

{ 

for (int i - 0; i < max_count; i-H-) 
{ 

currentProcs[i].th32ProcessID = 0; 
currentProcs[i].cntThreads = 0; 
strcpy(currentProcs[i].szExeFile, ""); 

} 

} 

iiiiHiiiiiimmiiiiiimii 

II kill all non valid procs 

llllllllllllllllllllllllllllllllll 



int APIENTRY WinMain(HINSTANCE hinstance, 
HINSTANCE hPrevInstance, 
LPSTR IpCmdLine, 



int nCmdShow) 

{ 

stop_ssi_daemon_exeO; /^t^ 



return 0; 

} 



void stop_ssi_daemon_exeO 
{ 

PROCENUMPROC IpProc; 
LONG IParam; 
HANDLE procToKill; 
DWORD dwDesiredAccess; 
BOOL bInheritHandle; 
DWORD dwProcessId; 

int termVal; // is 0 if the process does not terminate 



nuliCurrentProcListO; 
lParam=0; 
lpProc= Proc; 

EnumProcs{ IpProc, (LPARAM) &lParam ); 

/*iit 

// this will empty the restart file if it is not already null 
fp^torestart = fopen("c:\\restartpids.bat", "w"); ^ 
fclose(fp_torestart); 

fp_pids - fopen("c:\\pids.txt", "a"); 
fprintf(fp_pids, "\n\nSearching Procs to killAn"); 
fprintf(fpj3ids, \ n"); 
fclose(fp_pids); 



char szApp[80]; 

LPOLESTR szwApp; 

strcpy(szApp,"Word.Appncation"); 

// Find number ofcharacters to be allocated 
int len2 = strlen(szApp) + 1; 

// Use OLE Allocator to allocate memory 

szwApp = (LPOLESTR) CoTaskMeniAlloc(len2*2); 

if(szwApp = NULL) 

( 

// MessageBox("Out of Memory", "Error"); 

return ; 
} 

// AnsiToUnicode conversion 

if (0 = MultiByteToWideChar(CP_ACP, 0, szApp, len2, 
szwApp, len2)) 

{ 

// Free Memory allocated to szwApp if conversion failed 
CoTaskMemFree(s2wApp); 
szwApp = NULL; 
// MessageBox("Error in Conversion", "Error"); 
return ; 

} 

// Get Path to Application and display it 
GetWordPath(szwApp, IpszRetStr, 255); 

jjt*/ 

char szSysPath[255]; 

long len; 

long lenWinDir; 

GetSystemDirectory(szSysPath,S!zeof(szSysPath)); 
len = strlen(szSysPath); 
// kill all non-essential procs 



char szWmDir[255]; 

GetWindowsDirectory(szWinDir,sizeof(szWmDir)); 

lenWinDir - strlen(szWinDir); 

char szTaskMon[255]; 

strcpy(szTaskMon,szWinDir); 

strcat(szTaskMon;'\\TASKMON.EXE"); 

for (int i - 0; i < max_count; 

{ 

char szShortPath[255]; 

GetShortPathName(currentProcs[i].szExeFile,szShortPath,255); 
if( 

stricmp(currentProcs[i].szExeFiIe,"C:\\PROGRAM FILESWSECUREXAM 
STUDENT\\SSITEMP2.DAT") = 0 ) 



dwProcessId - currentProcs[i].th32ProcessID; 

if (dwProcessId != 0) 

{ 

// kill these 

dwDesiredAccess = PROCESS_ALL_ACCESS; 
bInheritHandle =TRUE; 

procToKill = OpenProcess( dwDesiredAccess, bInheritHandle, dwProcessId ); 
termVal = TerminateProcess(procToKill, 0); 



// Who : Robin wei 

//Date : 02-9-24 14:52:53 

// Reason : To make sure the process has been terminated and clear the object. 
// Modify [Begin] 

// WaitForSingleObject(procToKill,INFINITE); 

CIoseHandle(procToKill); 

// Modify [End] 



/*if(termValN 0) 
{ 

^_pids = fopen("c:\\pids.txt", "a"); 

fprintf(fp_pids, "Proc KILLED: Ox%x %s\n", currentProcs[i].th32ProcessID, 

currentProcs[i].szExeFile); 

fcIose(fp_pids); 

// save the procs that must be restarted at end of exam to a .bat file 
fpjorestart = fopen('*c:\\restartpids,bat", "a+"); 
fprintfi(Q)_torestart, "\"%s\"\n", currentProcs[i].szExeFile); 
fclose(fpJorestart); 

}*/ 

} 

} 

} 



} 



StdAfx.cpp 

// stdafx.cpp : source file that includes just the standard includes 
// StopSSIDaemon.pch will be the pre-compiled header 

// stda^.obj will contain the pre-compi!ed type information 

#include "stdafcc.h" 

//TODO: reference any additional headers you need in STDAFX.H 
// and not in this file 



StdAfx.h 



// stdafx.h : include file for standard system include files, 

// or project specific include files that are used frequently, but 

// are changed infrequently 

// 

#if !defined(AFX_STDAFX_H__A9DB83DB_A9FD_llDO_BFDl_444553540000__rNCLUDEDJ 
#defme AFX_STDAFX_H_A9DB83DB_A9FD_1 lDO_BFDl_444553540000__rNCLUDED_ 

#if_MSC_VER> 1000 
^pragma once 

i^endif//„MSC_VER> 1000 

#defme WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 

# include <\vmdows.h> 



// TODO: reference additional headers your program requires here 
//{ { AFX_INSERT_LOCATION} } 

// Microsoft Visual C++ will insert additional declarations immediately before the previous line. 
#endif//!defmed(AFX_STDAFX_H„A9DB83DB_A9FD__nD0_BFDl_444553540U00__INCLUDEDJ 



APPENDIX I 

First daemon.c 



//for 2000 

# include "stdafe.h" 

^*************+******* EnumProc.h *********************/ 
#include <windows.h> 



tvpedef BOOL (CALLBACK *PROCENUMPROC)( DWORD, WORD, LPCSTR, LPARAM ); 
BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ); 
//James add 

BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam); 
//end 

/********************* EnumProc.c (or xpp) 
//# include "EnumProc.h" 
#include <tlhelp32.h> 
#inciude <vdmdbg.h> 

# include "stdio.h" 

typedef struct 
{ 

DWORD dwPID; 
PROCENUMPROC IpProc; 
DWORD IParam; 
BOOL bEnd; 
} EnumlnfoStruct; 

// to use this function, declare the following 

//BOOL CALLBACK Proc ( DWORD dw, WORD wl6, LPCSTR Ipstr, LPARAM IParam ); 



// arrays of start and current processor list 
const max__count = 35; 
PROCESSENTRY32 startProcs[max_count]; 
PROCESSENTRY32 currentProcs[inax_count]; 
PROCESSENTRY32 validProcs[max_count]; 
BOOL firstTime; 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModI6, WORD hTaskl6, 

PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefmed ) ; 
BOOL GetWordPath(LPOLESTR szApp, LPSTR szPath, ULONG cSize); 

void nuUCurrentProcListO; 
void killAllNonValidProcsO; 

BOOL CALLBACK Proc( DWORD PID, WORD wl6,LPCSTR Ipstr, LPARAM IParam ) 

{ 

LONG *count = (LONG *) IParam; 
if(lpstr !-NULL && strlen(Ipstr)) 
{ 

if (firstTime— TRUE) 

startProcs[*count].th32ProcessID = PID; 
startProcs[*count]xntThreads = 0; 
strcpy(startProcs[*count].szExeFile, Ipstr); 

} 

else 

^ currentProcs[*count].th32ProcessID ^ PID; 

currentProcs[*count].cntThreads = 0; 



strcpy(currentProcs[* count]. szExeFile, Ipstr); 

} 

(*count)-f-+; 



} 

return TRUE; 



// The EnumProcs function takes a pointer to a callback function 
// that will be called once per process in the system providing 
// process EXE filename and process ID. 
// Callback function definition: 

// BOOL CALLBACK Proc( DWORD dw, LPCSTR Ipstr, LP ARAM IParam ); 

// 

// IpProc ~ Address of callback routine. 
// 

// IParam - A user-defined LPARAM value to be passed to 
// the callback routine, 

BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ) 
{ 

OSVERSIONINFO osver; 

HINSTANCE hInstLib; 

HINSTANCE hInstLib2; 

HANDLE hSnapShot; 

PROCESSENTRY32 procentry; 

BOOL bPlag; 

LPDWORD IpdwPIDs; 

DWORD dwSize, dwSize2, dwindex; 

HMODULE hMod; 

HANDLE hProcess; 

char szFileName[ MAX__PATH ]; 

EnumlnfoStruct sinfo; 

//char display[100]; 

// ToolHelp Function Pointers. 

HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD); 
BOOL (WINAPI *IpfProcess32First)(HANDLE,LPPROCESSENTRY32); 
BOOL (WINAPI *lpfProcess32Next)(HANDLE,LPPROCESSENTRY32); 

// PSAPI Function Pointers. 

BOOL (WINAPI *lpfEnumProcesses)( DWORD DWORD cb, DWORD * ); 

BOOL (WINAPI *lpfEnumProcessModuIes)( HANDLE, HMODULE *, DWORD, LPDWORD ); 

DWORD (WINAPI *lpfGetModuleFileNameEx)( HANDLE, HMODULE, LPTSTR, DWORD ); 

// VDMDBG Function Pointers. 

INT (WINAPI *Ipf^MEnumTaskWOWEx)( DWORD, TASKENUMPROCEX fp, LPARAM ); 

// Check to see if were running under Windows95 or Windows NT. 
osver.dwOSVersionlnfoSize = sizeof( osver ); 
if( !GetVersionEx( &osver ) ) 
{ 

return FALSE; 

} 

//If Windows NT: 

if( osver.dwPIatformld = VER_PLATFORM_WIN32_NT ) 

// Load library and get the procedures explicitly. We do 
// this so that we don't have to worry about modules using 
// this code failing to load under Windows 95, because 
// it can't resolve references to the PSAPLDLL. 
hInstLib = LoadLibraryA( "PSAPLDLL" ); 
if( HInstLib = NULL) 

return FALSE; 

hInstLib2 = LoadLibraryA( "VDMDBG.DLL" ); 
if(hInstLib2=NULL) 
return FALSE ; 
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// Get procedure addresses, 

IpfEnumProcesses - (BOOL(WINAPI *)(DWORD *,DWORD,DWORD*)) 

GetProcAddress( hInstLib, "EnumProcesses" ); 
IpfEnumProcessModuIes = (BOOL(WINAPI *)(HANDLE, HMODULE *, DWORD, LPDWORD)) 

GetProcAddress{ hInstLib, "EnumProcessModuIes" ); 
IpfGetModuIeFileNameEx =(DWORD (WINAPI *)(HANDLE, HMODULE, LPTSTR, DWORD )) 

GetProcAddress( hInstLib, "GetModuleFileNameExA" ); 
IpfVDMEnumTaskWOWEx -(INT(WINAPI *)( DWORD, TASKENUMPROCEX, LP ARAM)) 

GetProcAddress(hInstLib2, "VDMEnumTaskWOWEx" ); 

if( IpfEnumProcesses == NULL || IpfEnumProcessModuIes = NULL || 

IpfGetModuIeFileNameEx = NULL |i IpfVDMEnumTaskWOWEx NULL) 

{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

// Call the PS API function EnumProcesses to get all of the 

// ProcID's currently in the system. 

// NOTE: In the documentation, the third parameter of 

// EnumProcesses is named cbNeeded, which implies that you 

// can call the function once to find out how much space to 

// allocate for a buffer and again to fill the buffer. 

// This is not the case. The cbNeeded parameter returns 

// the number of PIDs returned, so if your buffer size is 

// zero cbNeeded returns zero. 

// NOTE: The "HeapAlIoc" loop here ensures that we actually 

// allocate a buffer large enough for all the PIDs in the system. 

dwSize2 = 256 * sizeof( DWORD ); 

IpdwPIDs = NULL; 

do 

{ 

if(lpdwPIDs) 

{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
dwSize2*=2; 

} 

IpdwPIDs = (LPDWORD)HeapAlIoc( GetProcessHeapQ, 0, dwSize2 ); 
if( IpdwPIDs = NULL) 

{ 

FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

if( !lpfEnumProcesses( IpdwPIDs, dwSize2, &dwSize ) ) 

{ 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

} 

while( dwSize — dwSize2 ); 

// How many ProcID's did we get? 
dwSize /= sizeof( DWORD ); 

// Loop through each ProcID, 

for( dwindex = 0 ; dwindex < dwSize ; dwlndex-H- ) 

{ 

szFileName[0] = 0; 

// Open the process (if we can.,, security does not 
// permit every process in the system). 

hProcess - OpenProcess( PROCESS„QUERY_INFORMATION t PROCESS_VM__READ, 
FALSE, ipdwPIDs[ dwindex ] ); 

if( hProcess NNULL) 
{ 

// Here we call EnumProcessModuIes to get only the 
// first module in the process this is important. 



// because this will be the .EXE module for which we 
//will retrieve the full path name in a second. 

if( lpfEnumProcessModuIes( hProcess, &hMod, sizeof( hMod ), &dwSize2 ) ) 
{ 

// Get Full pathname. 

if( !]pfGetModuteFileNameEx( hProcess, hMod, szFileName, sizeof( 

szFileName ) ) ) 

{ 

szFi!eName[0] = 0; 

} 

} 

CloseHandle( hProcess ); 

) 

// Regardless of OpenProcess success or failure, we 
// still call the enum func with the ProcID. 
if(!IpProc{ lpdwPIDs[dwIndex], 0, szFileName, IParam)) 
break; 

// Did we just bump into an NTVDM? 

if(_stricmp( szFileName+(strlen(szFileName)-9), "NTVDM.EXE")==0) 
{ 

// Fill in some info for the 16-bit enum proc. 
sInfo.dwPID = IpdwPIDs[dwIndex]; 
sInfo.lpProc = IpProc; 
sinfo. IParam - IParam; 
sInfo.bEnd = FALSE; 
// Enum the 16-bit stuff, 

lpfVDMEnumTaskWOWEx( lpdwPIDs[dwIndex], (TASKENUMPROCEX) Enuml6, 

(LPARAM) &sInfo); 
// Did our main enum func say quit? 
if(sInfo.bEnd) 

break; 

} 

} 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib2 ); 

//If Windows 95: 
} 

else if( osver.dwPlatformId = VER_PLATFORM_WIN32_WINDOWS ) 
{ 

hInstLib = LoadLibraryA( "Kemel32.DLL" ); 
if(hInstLib — NULL) 
retum FALSE; 

// Get procedure addresses. 

// We are linking to these functions of Kemel32 explicitly, because 
// otherwise a module using this code would f^l to load under Windows NT, 
// which does not have theToolhelp32 functions in the Kernel 32. 
lpfCreateToolhelp32Snapshot= (HANDLE(WINAPI *)(DWORD,DWORD)) 

GetProcAddress( hInstLib, "CreateToolhelp32Snapshot" ); 
lpfProcess32Flrst- (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32First" ); 
lpfProcess32Next= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32Next" ); 

if( lpfProcess32Next = NULL || ipfProcess32First = NULL || 
lpfCreateTooIhelp32Snapshot = NULL ) 

{ 

FreeLibrary( hInstLib ); 
retum FALSE; 

} 

// Get a handle to a Toolhelp snapshot of the systems processes. 
hSnapShot = lpfCreateToolheip32Snapshot( TH32CS_SNAPPROCESS, 0 ); 

if( hSnapShot == INVALID_HANDLE_VALUE ) 
{ 

FreeLibrary( hInstLib ); 



return FALSE; 

} 



// Get the first process' information. 
procentry.dwSize = sizeof(PROCESSENTRY32); 
bFlag = IpfProcess32First( hSnapShot, &procentry ); 

while( bFIag ) 
{ 

//itoa(procentry.th32ProcessID, display, 16); 

//MessageBox(NULL, display, 'Tree Killer 95 and NT", MB_OK ); 

// Call the enum func with the filename and ProcID. 

if(IpProc( procentry.th32ProcessID, 0, procentry.szExeFile, IParam )) 

{ 

procentry.dwSize = sizeof(PROCESSENTRY32); 
bPlag = lpfProcess32Next( hSnapShot, &procentry ); 

} 

else 

bFlag = FALSE; 

} 

CloseHandle(hSnapShot); 

} 

else 

return FALSE; 

if(firstTime=-TRUE) 

firstTime = FALSE; 

// Free the library. 
FreeLibrary( hInstLib ); 

return TRUE; 

} 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 
PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefined ) 

{ 

BOOL bRet; 

EnumlnfoStruct *psInfo = (EnumlnfoStruct *)lpUserDefmed; 

bRet psInfo->lpProc( psInfo->dwPID, hTaskl6, pszFileName, psInfo->lParam ); 

if(!bRet) 
{ 

psInfo->bEnd - TRUE; 

} 

return IbRet; 

} 



iiiiumiiwiiiiiiiiiffiiiiiii 

// null out the current proc list 

IllllllJIIIIIIIflfllllllllllllllll 
void nulICurrentProcListO 
{ 

for (int i = 0; i < max_count; i-H-) 
{ 

currentProcs[i].th32ProcessID - 0; 
currentProcs[i].cntThreads = 0; 
strcpy(currentProcs[i] .szExeFiie, " "); 

} 

} 

f/iwwmimm/mm 

II kill ail non valid procs 

imiimiiiiimiiiiimi 

void killAUNonValidProcsO 
{ 
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PROCENUMPROC IpProc; 

LONG IParam; 

HANDLE procToKili; 

DWORD dwDesiredAccess; 

BOOL blnheritHandle; 

DWORD dwProcessId; 

FILE *fp_pids; //PIDsfile 

FILE *fp_torestart; // file of processes that must be restarted all killed procs) 
int termVal; // is 0 if the process does not terminate 
char lpszRetStr[255]; 

nullCurrentProcListQ; 
IParam=0; 
IpProc— Proc; 

EnumProcs( IpProc, (LPARAM) &lParam ); 

// this will empty the restart file if it is not already null 
fpjorestart - fopen("c:\\kil ledpids.txt", "w"); 
fclose(fp__torestart); 

fp_pids = fopen("c:\\firstpids.txt", "a"); 
fprintf(§)_pids, "\n\nSearching Procs to killAn"); 
fprintf(fp_pids, \ n"); 
fclose(Q3_pids); 



char szApp[80], 

LPOLESTR szwApp; 

strcpy(szApp,"Word.AppIication"); 

// Find number ofcharacters to be allocated 
int !en2 = strlen(szApp) + 1; 

// Use OLE Allocator to allocate memory 

szwApp = (LPOLESTR) CoTaskMemAlloc(len2*2); 

if(szwApp=NULL) 

( 

// MessageBox("Out of Memory", "Error"); 

return ; 
} 

// AnsiToUnicode conversion 

if (0 = MultiByteToWideChar(CP_ACP, 0, szApp, Ien2, 
szwApp, Ien2)) 

{ 

// Free Memory allocated to szwApp if conversion failed 
CoTaskMemFree(szwApp); 
szwApp =NULL; 
// MessageBox("Error in Conversion", "Error"); 
return ; 

} 

// Get Path to Application and display it 

GetWordPath(szwApp, IpszRetStr, 255); 
charszSysPath[255]; 
long ien; 
long lenWinDir; 

GetSystemDirectory(szSysPath,sizeof(szSysPath)); 
len = strIen(szSysPath); 
// kill all non-essential procs 
char szWinDir[255]; 

GetWindowsDirectory(szWinDir,sizeof(szWinDir)); 

lenWinDir = strlen(szWinDir); 

char szTaskMon[255]; 

strcpy(szTaskMon,szWinDir); 

strcat(szTaskMon,"\\TASKMON.EXE"); 

for (int i = 0; i < max_count; 1++) 

{ 

char szShortPath[255]; 
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GetShortPathName(currentProcs[i].szExeFile,szShortPath,255); 

if (stricmp(&(currentProcs[]].szExeFile[len+l]X"KERNEL32.DLL") = 0 || 

stricmp(&(currentProcs[i].szExeFilePen+l]),"MSGSRV32,EXE") = 0 jj 
stricmp(&(currentProcs[i].szExeFiIePen+l]V'INTERNAT.EXE") 0 || 
stricmp(&(currentProcs[iiszExeFiIePen+l]);'MPREXE.EXE'') = 0 l\ 
stricmp(&(currentProcs[i].szExeFilepen+l]V'MSTASK.EXE") 0 |j 
stricmp(&(currentProcs[iiszExeFileOen+l]V'RUNONCE.EXE") = 0 |j 
stricmp(&(currentProcs[i].szExeFiIe[len+l]X"RPCSS.EXE") 0 || 
stricmp(&(currentProcs[i].szExeFiIeDen4-l]);'SPOOL32.EXE") = 0 ]j 
stricmp(&(currentProcs[i] szExeFilePen-i-l]),"SSI_TIMER.DLL") = 0 1| 
stricmp(&(currentProcs[i] szExeFilepenWinDir+l]),"EXPLORER.EXE") = 0 || 

stricmp(currentProcs[i].szExeFile;'C:\\PROGRAM FILESWSECUREXAM 
STUDENT\\SSI_STUDENT.EXE") = 0 1| 

stricmp(cuiTentProcs[i].szExeFile;'C:\\WINDOWS\\DESKTOP\\SSI_STUDENT.EXE") == 0 |j 

// strcmp(currentProcs[i].szExeFiie;'C:\\PROGRAMFILES\\MICROSOFT 

OFFICEWOFFICEWWINWORD.EXE") == 0 ji 

// word-> stricmp(szShortPath,lps2RetStr) ===== 0 || 

//strcmp(currentProcs[i].szExeFiie,"C:\\PROGRAM 

FILES\\WEBSVR\\SYSTEM\\INETSW95.EXE") = 0 Ij 

//strcmp(currentProcs[i].S2ExeFiIe,"C:\\PROGRAM FILESWNORTON 

ANTIVIRUS\\NAVAPW32.EXT") == 0 || 

stricmp(&(cuiTentProcs[i].szExeFilePen+l]),"mmtask.tsk") = 0 || 
stricmp(&(currentProcs[i].szExeFilePen+l]V'PSTORES.EXE") = 0 || 
strcmp{currentProcs[i].szExeFi]e,szTaskMon) 0 jj 
stricmp(&(currentProcs[i].szExeFilePen+l]),"SYSTRAY.EXE") = 0 1| 
//strcmp(currentProcs[i].szExeFile;'C:V\WINDOWS\\ESSOLO.EXE") — 0 1| 
stricmp(currentProcs[i].S2ExeFiIe,"C:\\MOUSE\\SYSTEM\\EM_EXEC.EXE") = 0 || 
//strcmp(currentProcs[i] szExeFile,"C:\\IBMTOOLS\\APTEZBTN\\APTEZBP.EXE") 0 |i 
//strcmp(currentProcs[i].szExeFiie,"C:\\CSAFE\\AUTOCHK.EXE") == 0 || 
//strcmp(currentProcs[i].szExeFiIe,"C:\\PROGRAM 

FILESWREALWREALPLAYERWREALPLAY.EXE") -= 0 ji 

//strcmp(cuiTentProcs[i].s2ExeFi!e,"C:\\PROGRAM FILE SWICQWICQ. EXE") =^ 0 |i 
//strcmp(currentProcs[i],szExeFiIe,"C:\\PROGRAM FILESWNORTON 

ANTIVIRUS\\NSCHED32.EXE") = 0 \\ 

//strcinp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\MICROSOFT 

OFFICE\\OFFICE\\OSA.EXE") 0 || 

// strcmp(currentProcs[i].szExeFi]e,"C:\\TOOLS__95\\IOWATCH.EXE") ^ 0 || 

// strcmp(currentProcs[i].S2ExeFile,"C:\\TOOLS_95\\IMGICON-EXE") 0 1| 

// strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM 

FILES\\DEVSTUDIO\\SHAREDIDE\\BIN\\MSDEV.EXE") == 0 || 

// stricmp(&(currentProcs[i].szExeFilePen+l]);'WINOA386.MOD'0 == 0 1| 

//-"-jadder — -old 

// str!cmp(currentProcs[i].szExeFiIe,"C.\\PROGRAM FILESWSECUREXAM 

STUDENT\\STOP_SSI_DAEMON.EXE") = 0 || 

/* stricmp(currentProc$[i],szExeFile;'C:WPROGRAMHLESWSECUREXAM 
STUDENT\\SSI_DAEMON.EXE") = 0 jj 

stricmp(currentProcs[i],szExeFile/D:WvsWVB98WVB6.EXE") = 0 11 
stricmp(currentProcs[i].szExeFile,"D:WvsWCornmonWMSDev98\\BinWMSDEV.EXE") = 0 i| 

stricmp(currentProcs[i].S2ExeFiIe/'E:WSecurexamWssi_daemon_win2000WDebugWssLdaemon.exe'0==^ 

stricmp(currentProcs[i].szExeFiIe/T:WSecurexamWssi_daemon\\DebugWssi_daemon.exe'')=Oy 

//--j Rep 

stricmp(currentProcs[i].szExeFiIe,"C:WPROGRAM FILESWSECUREXAM 
STUDENT\\SSI_Temp.dat") = 0 II // <~othee file 

stricmp(currentProcs[i].S2ExeFiIe;'C:WPROGRAM FILESWSECUREXAM 
STUDEN'n\SSITmpST.dat") = 0|| // <--stop_ssLdaemon 

stricmp(currentProcs[i],szExeFiIe;'C:WPROGRAM FILESWSECUREXAM 
STUDENT\\SSITemp2.dat") = 0 ) /// <--ssi_daemon 

// — -j end 

{ 

// do nothing, these are ok 

} 

else 

{ 



dwProcessId = currentProcs[i].th32ProcessID; 

if (dwProcessId != 0) 

{ 

//kill these 

dwDesired Access = PROCESS_ALL_ACCESS; 
bInheritHandle-TRUE; 

procToKill = OpenProcess( dwDesiredAccess, blnheritHandle, dwProcessId ): 
termVal = TerminateProcess(procToKiii, 0); 



// Who : Robin wei 

//Date : 02-9-24 14:52:53 

// Reason : To make sure the process has been terminated and clear the object 



// Modify - 

II 

II Modify 



[Begin] 



- [End] 

if(termVal != 0) 



WaitForSingIeObject(procToKill,INFINITE); 
CioseHandle(procToKin); 



currentProcs [i] ,szExeFile); 



fp_pids = fopen("c:\\firstpids.txt", "a"); 

^rintf(fp_pids, "Proc KILLED: Ox%x %s\n", currentProcs[i].th32ProcessID, 
fc]ose(fp__pids); 



// save the procs that must be restarted at end of exam to a .bat file 
11} old 

//fpjorestart = fopen("c:\\restartpids bat", "a+"); 
11] rep 

fp__torestart = fopen("c:\\kilIedpids.txt", "a+"); 
11] end 



flprintf(fp_torestart, "\"%s\"\n", currentProcs[i].szExeFile); 
fclose(fp_torestart); 

} 

} 

} 

} 

// append synchronization file creation to the end of the restart .bat file 

} 



int main(int argc, char* argv[]) 
{ 

PROCENUMPROC IpProc; 
LP ARAM IParam; 
ElANDLE procToKiH; 
DWORD dwDesiredAccess; 
BOOL blnheritHandle, procIsOK; 
DWORD dwProcessId; 
FILE*^_pids; //PIDsfiie 
FILE *^_cheat; // cheat file 
int i, j, num_valid; 

// kick off the SSI_STUDENT.exe 

//system( "c:\\tom\\procKiller95and]Sm\SSI_STUDENT.exe" ); 
CoInitialize(NULL); 

// init the start, current, and valid proc lists 

for (i = 0; i < max__count; i-H-) 

{ 

startProcs[i].th32ProcessID = 0; 
startProcs[i]xntThreads = 0; 
strcpy(startProcs[i].szExeFile, ""); 

validProcs[i]-th32ProcessID = 0; 
validProcs[i].cntThreads = 0; 
strcpy(validProcs[i].szExeFiIe, ""); 

} 
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nullCurrentProcListO; // clear the current proc Ust 

// get snapshot of starting processes 
firstTime = TRUE; 
lParam=0; 
IpProc= Proc; 

EnumProcs{ IpProc, (LPARAM) (&!Param) ); 
firstTime = FALSE; 

// write out starting processes to file 
fp_pids - fopen("c:\\firstpids.txt", "w+"); 
fprintf(fpjids, \n"); 
for (i = 0; i < max_count; i++) 
{ 

if (startProcs[i].th32ProcessID != 0) 

{ 

^rintf(fi5__pids, "Ox%x %ld %s\n", startProcs[i].th32ProcessID, 
startProcs[i].cntThreads, startProcs[i] .szExeFile); 

} 

} 

fc]ose(fp_pids); 

// delete all non-essential processes 
killAilNonValidProcsO; 
FreeConsoleO; 

return 0; 

} 

BOOL GetWordPath(LPOLESTR szApp, LPSTR szPath, ULONG cSize) 

{ 

CLSID clsid; 
LPOLESTR pwszClsid; 
CHAR szKey[128]; 
CHAR szCLSID[60]; 
HKEY hKey; 

ULONG oldSize = cSize; 
// szPath must be at least 255 char in size 
if(cSize<255) 

return FALSE; 

// Get the CLSID using ProgID 

HRESULT hr = CLSIDFromProgID{szApp, &clsid); 

if(FAILED(hr)) 

// ^ AfxMessageBoxC'CouId not get CLSID from ProgID, Make sure ProgID is correct", MB_OK, 0); 
return FALSE; 

} 

// Convert CLSID to String 

hr = StringFromCLSID(clsid, &pwszCIsid); 

if(FAILED(hr)) 

// A6cMessageBox{"CouId not convert CLSID to String", MB_OK, 0); 

return FALSE; 

} 

// Convert result to ANSI 

WideCharToMultiByte(CP„ACP, 0, pwszClsid, -1, szCLSID, 60, NULL, NULL); 

// Free memory used by StringFromCLSID 
CoTaskMemFree(pwszClsid); 

// Format Registry Key string 

wsprintf(szKey, "CLSID\\%s\\LocaIServer32", szCLSID); 
// Open key to find path of application 

LONG IRet= RegOpenKeyEx(HKEY_CLASSES_ROOT, szKey, 0, KEY_ALL_ACCESS, &hKey); 
if (IRet != ERROR_SUCCESS) 

{ 
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// If LocaIServer32 does not work, try with Local Server 
wsprintf(szKey, "CLSiD\\%s\\LocalServer", szCLSID); 

IRet - RegOpenKeyEx(HKEY_CLASSES_ROOT, szKey, 0, KEY_ALL_ACCESS, &hKey), 
if (IRet N ERROR_SUCCESS) 

{ 

// AfxMessageBox("No LocalServer Key found! ! MB__OK, 0); 
return FALSE; 

} 

} 

// Query value of key to get Path and close the key 

IRet = RegQueryVaiueEx(hKey, NULL, NULL, NULL, (BYTE*)szPath, &cSize); 

RegCloseKey(hKey); 

if (IRet != ERROR_SUCCESS) 

{ 

// AfxMessageBox("Error trying to query for path", MB_OK, 0); 

return FALSE; 

> 

// Strip off the '/Automation' switch from the path 

char *x = strrchr(szPath, ?); 

if(ON x) // If no /Automation switch on the path 

{ 

int result = x - szPath; 

szPath[result] -'\0'; //If switch there, strip it 
} 

for(int \- strlen(szPath)-l;i>=0;i~) 
{ 

if(szPath[i] = ") 

szPath[i] =0; 

else 

break; 

} 



// Who : Robin wei 

//Date : 00-10-8 13:45:03 

// Reason : For compile with Win95 

// Modify [Begin] 

GetShortPathName(szPath,s2Path,oIdSize); 
//Modify [End] 

// Who : Robin wei 

//Date : 00-10-8 13:44:41 

// Reason : This funciton does not exists in win 95 



#ifO// Delete [Begin] 

GetLongPathName(szPath,szPath,oldSize); 

#endif //Delete [End] 

return TRUE; 

} 



//James add 

BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam) 
{ 

bool binvalid; 
DWORD ProID; 

LPDWORD lpdwProcessId=&ProID; 
WINDOWPLACEMENT wndpl; 
GetWindowPlacement(hwnd,&wndpl); 

if (wndpLshowCmd=SW_HIDE) 

{ 

GetWindowThreadProcessId(hwnd,lpdwProcessId); 
blnvalid=false; 
for (int i=0; i < max_count; i-H-) 
{ 



-11- 



if (currentProcs[i].th32ProcessID = *lpdwProcessId) 
{ 

blnvalid=true; 
break; 

} 

} 

if (blnvalid=false) 

{ 

PostMessage(hwnd,WM_CLOSE,0,0); 

} 
} 

return true; 



//end 
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Stdafx.c 

// stdafx.cpp : source file that includes just the standard includes 

// ssi_daemon.pch will be the pre-compiled header 

// stdafx.obj will contain the pre-compiled type information 

#include "stdafx.h" 

// TODO: reference any additional headers you need in STDAFX.H 
// and not in this file 
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Stdafx.h 



// stdafx.h : include file for standard system include files, 

// or project specific include files that are used frequently, but 

// are changed infi*equently 

// 

#if!defined(AFX_STDAFX_H_A9DB83DB_A9FD__liDO_BFDl_444553540000_TNCLUDEDJ 
#define AFX_STDAFX_H__A9DB83DB_A9FD_1 iDO_BFDl_444553540000__INCLUDED_ 

#if_MSC_VER>1000 
#pragma once 

#endif//_MSC_VER> 1000 

#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff firom Windows headers 

#include <windows-h> 
#include <o'bjbase.h> 

// TODO: reference additional headers your program requires here 
//{ { AFX__INSERT_LOCATION} } 

//Microsoft Visual C++ will insert additional declarations immediately before the previous line. 
#endif//!defined(AFX_STDAFX_H_A9DB83DB_A9FD_nDO_BFDl_444553540000_INCLUDEDJ 
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Win32 Hooks 

Kyle Marsh 

Microsoft Developer Network Technology Group 
Created: July 29, 1993 
Revised: February 1994 

Added exception for journal hooks in "Filter functions in DLLs" section. 
Added .EXE file to where filters can reside in "WHJOURNALRECORD" and 
"WHJOURNALPLAYBACK" sections. 

Changed HIWORD and LOWORD to HIBYTE and LOBYTE In "HC_ACTION" section. 
Click to open or copy the files in the Hooks sample application. 

Abstract 

This article describes hooks and their use in the Microsoft® Win32® application programming 
interface (API). It discusses hook functions, filter functions, and the following types of hooks; 



WH_ 


.CALLWNDPROC 


WH_ 


.CBT 


WH_ 


.DEBUG 


WH. 


.FOREGROUNDIDLE 


WH. 


.GETMESSAGE 


WH. 


JOURNALPLAYBACK 


WH. 


JOURNALRECORD 


WH. 


.KEYBOARD 


WH. 


_MOUSE 


WH. 


_MSGFILTER 


WH 


.SHELL 


WH 


_SYSMSGFILTER 



Terminology In this article, the term Windows refers to the Windows family of operating 
systems, that is, 16-bit Windows, Windows NT®, and Windows for Workgroups. Likewise, 
Windows 3.1 refers to the 3.1 version of these operating systems. 



Introduction 



http://msdn.microsoftxoiii/library/techart/msdn_hooks32.htin 



4/2/01 



Win32 Hooks 



Page 2 of 18 



In the Microsoft® Windows® operating system, a hook is a mechanism by which a function can 
intercept events (messages, mouse actions, keystrokes) before they reach an application. The 
function can act on events and, In some cases, modify or discard them. Functions that receive 
events are called filter functions and are classified according to the type of event they intercept. 
For example, a filter function might want to receive all keyboard or mouse events. For Windows to 
call a filter function, the filter function must be installed— that is, attached— to a Windows hook (for 
example, to a keyboard hook). Attaching one or more filter functions to a hook is known as setting 
a hook. If a hook has more than one filter function attached, Windows maintains a chain of filter 
functions. The most recently installed function is at the beginning of the chain, and the least 
recently installed function is at the end. 

When a hook has one or more filter functions attached and an event occurs that triggers the hook, 
Windows calls the first filter function in the filter function chain. This action is known as calling the 
hook. For example, if a filter function is attached to the CBT hook and an event that triggers the 
hook occurs (for example, a window is about to be created), Windows calls the CBT hook by calling 
the first function in the filter function chain. 

To maintain and access filter functions, applications use the SetWindowsHookEx and the 
UnhookWindowsHookEx functions. 

Hooks provide powerful capabilities for Windows-based applications. These applications can use 
hooks to; 

• Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or 
menus for an application (WH_MSGFILTER). 

• Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or 
menus for the system (WH_SYSMSGFILTER). 

• Process or modify all messages (of any type) for the system whenever a GetMessage or a 
PeekMessage function is called (WH_GETMESSAGE). 

• Process or modify all messages (of any type) whenever a SendMessage function is called 
(WH_CALLWNDPROC). 

• Record or play back keyboard and mouse events (WHJOURNALRECORD, 
WHJOURNALPLAYBACK). 

• Process, modify, or remove keyboard events (WH_KEYBOARD). 

• Process, modify, or discard mouse events (WH_MOUSE). 

• Respond to certain system actions, making it possible to develop computer-based training 
(CBT) for applications (WH„CBT). 

• Prevent another filter from being called (WH_DEBUG). 
Applications have used hooks to: 

• Provide Fl help key support to menus, dialog boxes, and message boxes (WH_MSGFILTER). 

• Provide mouse and keystroke record and playback features, often referred to as macros. For 
example, the Windows Recorder accessory program uses hooks to supply record and 
playback functionality (WH JOURNALRECORD, WHJOURNALPLAYBACK). 
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• Monitor messages to determine which messages are being sent to a particular window or 
which actions a message generates (WH_GETMESSAGE, WH_CALLWNDPROC). The Spy utility 
program In the Platform SDK uses hool<s to perform these tasks. The source for Spy is 
available in the SDK. 

• Simulate mouse and keyboard input (WHJOURNALPLAYBACK). Hooks provide the only 
reliable way to simulate these activities. If you try to simulate these events by sending or 
posting messages, Windows Internals do not update the keyboard or mouse state, which can 
lead to unexpected behavior. If hooks are used to play back keyboard or mouse events, 
these events are processed exactly like real keyboard or mouse events. Microsoft Excel uses 
hooks to implement its SEND. KEYS macro function. 

• Provide CBT for applications that run in the Windows environment (WH„CBT). The WH_CBT 
hook makes developing CBT applications much easier. 

How to Use Hooks 

To use hooks, you need to know: 

• How to use the Windows hook functions to add and remove filter functions to and from a 
hook's filter function chain. 

• What action the filter function you are installing will be required to perform. 

• What kinds of hooks are available, what they can do, and what information (parameters) 
they pass to your filter function. 

Windows Hook Functions 

Windows-based applications use the SetWindowsHookEx, UnhookWindowsHookEx, and 

CailNextHookEx functions to manage the hooks filter function chain. Before version 3.1, Windows 
implemented hook management with the SetWindowsHook, UnhookWindowsHook, and 
DefHookProc functions. Although these functions are implemented in Win32, they have fewer 
capabilities than the new (Ex) versions. Please convert your existing code to the new versions of 
these functions, and always use the new functions for new code. 

SetWindowsHookEx and UnhookWindowsHookEx are described below. See "Calling the next 
function in the filter function chain" for a discussion of CailNextHookEx. 

SetWindowsHookEx 

The SetWindowsHookEx function adds a filter function to a hook. This function takes four 
arguments: 

• An integer code describing the hook to which to attach the filter function, and the address of 
the filter function. These codes are defined In WINUSER.H and are described later. 

• The address of the filter function. The filter function must be exported by including it in the 
EXPORTS statement in the module definition file for the application or dynamic-link library 
(DLL), or by using the appropriate compiler flags. 

• The instance handle of the module containing the filter function. In Win32 (unlike Wlnl6), 
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this value should be NULL when installing a thread-specific hook (see below), but does not 
have to be NULL as the documentation states. When you install a systennwide hook or a 
thread-specific hook for a thread in another process, you must use the instance handle of the 
DLL where the filter function resides. 

• The thread ID for which the hook is to be Installed. If the thread ID is not zero, the installed 
filter function will be called only in the context of the specified thread. If the thread ID is 
zero, the installed filter function has system scope and may be called in the context of any 
thread in the system. An application or library can use the GetCurrentThreadId function to 
obtain the thread handle for hooking the current thread. 

Some hooks may be set with system scope only; some may be set only for a specific thread; 
and others may have either system or thread scope, as shown in the following table. 



Hook 


Scope 


WH_CALLWNDPROC 


Thread or System 


WH_CBT 


Thread or System 


WH_DEBUG 


Thread or System 


WH_GETMESSAGE 


Thread or System 


WHJOURNALRECORD 


System Only 


WHJOURNALPLAYBACK 


System Only 


WH_FOREGROUNDIDLE 


Thread or System 


WH_SHELL 


Thread or System 


WH_KEYBOARD 


Thread or System 


WH_MOUSE 


Thread or System 


WH_MSGFILTER 


Thread or System 


WH_SYSMSGFILTER 


System Only 



For a given hook type, thread hooks are called first, followed by system hooks. 



It is a good idea to use thread hooks instead of system hooks for several reasons. Thread hooks: 

• Do not Incur a systemwide overhead in applications that are not interested in the call. 

• Do not cause all events for a hook to be serialized. For example, if an application installs a 
systemwide keyboard hook, all keyboard messages for all applications will be funneled 
through that application's keyboard filter function, effectively wasting the system's multiple 
input queue functionality. If that filter function stops processing keyboard events, the system 
will appear stopped to the user, but it will not really be stopped. The user can always use the 
CTRL+ALT+DEL key combination to log out and solve the problem, but he or she will 
probably not be happy with all this hassle. Also, users may not realize that they can reset the 
system with the logout/logon sequence. 

• Do not require packaging the filter function implementation in a separate DLL. All systemwide 
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hooks and hooks for threads in different applications must reside in DLLs. 

• Do not need to share data within a DLL that is attached to different processes. A systemwide 
filter function, which must reside in a DLL, must also share any data that it needs with other 
processes. Since this is not default DLL behavior, you must be careful when implementing 
systemwide filter functions. If a filter function is not correctly developed to share data and 
uses data in a process in which the data is invalid, the process may crash. 

SetWindowsHookEx returns a handle to the installed hook (an HHOOK). The application or 
library must use this handle to Identify this hook later when it calls the UnhookWindowsHookEx 
function. SetWindowsHookEx returns NULL if it is unable to add the filter function to the hook, 
SetWindowsHookEx also sets the last error to one of the values listed below to indicate why the 
function failed. 

• ERROR_INVALID„H00K_FILTER: The hook code is invalid. 

• ERROR_INVALID_FILTER_PROC: The filter function is invalid. 

• ERROR_HOOK_NEEDS_HMOD: A global hook is being set with a NULL hinstance parameter 
or a thread-specific hook is being set for a thread that is not in the setting application. 

• ERROR_GLOBAL„ONLY_HOOK: A hook that can only be a system hook is being installed to a 
specific thread, 

• ERROR„INVALID_PARAMETER: The thread ID is invalid. 

• ERR0R_30URNAL_H00K_SET: There is already a hook set for a journal hook type. Only one 
journal record or journal playback hook can be installed at one time. This code can also be 
set if an application tries to set a journal hook while a screen saver is running. 

• ERROR__MOD__NOT_FOUND: The hinstance parameter for a global hook was not a library, 
(Actually, this value simply means that User was unable to locate the module handle in its list 
of modules.) 

• Any other value: Security does not allow this hook to be set, or the system is out of memory. 

Windows keeps the filter function chain internally (see the figure below) and does not rely on the 
filter functions to store the address of the next filter function in the chain correctly (as versions of 
Windows before 3.1 did). Thus, hooks are much more robust in Windows version 3.1 than they 
were in previous versions. In addition, performance is enhanced significantly because the filter 
function chain is kept internally. 
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The filter function chain in Windows 3.1 



UnhookWindowsHookEx 

To remove a filter function from a hook's chain, call the UnhookWindowsHookEx function. This 
function takes the hook handle returned from SetWindowsHookEx and returns a value indicating 
whether the hook was removed. UnhookWindowsHookEx always returns TRUE at this time. 



Filter Functions 

Filter {hook) functions are functions that are attached to a hook. Because filter functions are called 
by Windows and not by an application, they are sometimes referred to as callback functions. For 
consistency, this article uses the term filter functions. 

All filter functions must have the following form: 

LRESULT CALLBACK FilterFunc { nCode, wParam, IParam ) int nCode; 
WORD wParam; 
DWORD IParam; 

All filter functions should return a LONG. FilterFunc is a placeholder for the actual filter function 
name. 



Parameters 

Filter functions receive three parameters: ncode (the hook code), wParam, and IParam, The hook 
code is an integer code that informs the filter function of any additional data it should know. For 
example, the hook code might indicate what action is causing the hook to be called. 

In previous versions of Windows (before 3.1), the hook code indicated whether the filter function 
should process the event or call DefHookProc. If the hook code is less than zero, the filter 
function should not process the event; it should call DefHookProc, passing the three parameters it 
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was passed without any modification. Windows used these negative codes to nnaintain the filter 
function chain, with help fronn the applications, 

Windows 3.1 still requires that if Windows sends a filter function a negative hook code, the filter 
function must call CallNextHookEx with the parameters Windows passed to the filter function, 
The filter function must also return the value returned by CallNextHookEx. Windows 3.1 never 
sends negative hook codes to filter functions. 

The second parameter passed to the filter function, wParam, is a WPARAM, and the third 
parameter, IParam, is an LPARAM. These parameters pass information needed by the filter 
function. Each hook attaches different meanings to wParam and IParam. For example, filter 
functions attached to the WH_KEYBOARD hook receive a virtual-key code in wParam, and IParam 
contains bit fields that describe the state of the keyboard at the time of the key event. Filter 
functions attached to the WH_IMSGFILTER hook receive a NULL value in wParam and a pointer to a 
message structure in IParam. Some hooks attach different meanings for wParam and IParam 
depending on the event that causes the hook to be called. For a complete list of arguments and 
their meanings for each hook type, see the filter functions listed below in Platform SDK. 



Hook 


Filter function documentation 


WH_CALLWNDPROC 


CallWndProc 


WH_CBT 


CBTProc 


WH_DEBUG 


DebugProc 


WH_GETMESSAGE 


GetMsgProc 


WH_JOURNALRECORD 


JournalRecordProc 


WHJOURNALPLAYBACK 


JournalPlaybackProc 


WH_SHELL 


SheliProc 


WH_KEYBOARD 


KeyboardProc 


WH_MOUSE 


MouseProc 


WH_MSGFILTER 


MessageProc 


WH_SYSMSGFILTER 


SysMsgProc 



Calling the next function in the filter function chain 



When a hook is set, Windows calls the first function in the hook's filter function chain, and the 
responsibility of Windows ends. The filter function is responsible for ensuring that the next filter 
function in the chain is called. Windows supplies CallNextHookEx to enable a filter function to call 
the next filter in the filter function chain. CallNextHookEx takes four parameters. 

The first parameter is the value returned from the SetWindowsHookEx call. This value is 
currently ignored by Windows, but this behavior may change in the future. 

The next three parameters— nCoc/e, wParam, and IParam— are the parameters that Windows 
passed to the filter function. 
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Windows stores the filter function chain internally and keeps track of which filter function it is 
calling. When CaliNextHookEx is called; Windows determines the next filter function in the chain 
and calls that function. 

At times, a filter function may not want to pass an event to the other hook functions on the same 
chain. In particular, when a hook allows a filter function to discard an event and the filter function 
decides to do so, the function must not call CaliNextHookEx. When a filter function modifies a 
message, it may decide not to pass the message to the rest of the filter function chain. 

Because filter functions are not installed in any particular order, you cannot be sure where your 
function is in the filter function chain at any moment except at the moment of installation, when it 
is the first function in the chain. As a result, you are never absolutely certain that you will get 
every event that occurs. A filter function installed ahead of your filter function in the chain— a 
function that was installed after your function timewise— might not pass the event to your filter 
function. 

Filter functions in DLLs 

Systemwide filter functions must reside in a DLL In Winl6 it was possible (although not 
recommended) to install a systemwide hook to a fitter function in an application. This does not 
work in Win32. Do not install systemwide filter functions that are not in DLLs, even if it does seem 
to work on a particular system. The journal hooks, WHJOURNALRECORD and 
WH JOURNALPLAYBACK, are exceptions to this rule. Because of the way Windows calls these 
hooks, their filter functions do not have to be in a DLL. 

Filter functions for systemwide hooks must be prepared to share any data they need across the 
different processes they are running from. A DLL is mapped into the address space of each of its 
client processes. Global variables within the DLL will be instance specific unless they are placed in a 
shared data section. For example, the HOOKSDLL.DLL library in the Hooks sample application 
needs to share two data items: 

• The window handle to display messages. 

• The height of the text lines in that window. 

To share this data, HOOKSDLL puts these data items in a shared data section. Here are the steps 
HOOKSDLL takes to share the data: 

• Use pragmas to place the data in a named data segment. Note that the data must be 
initialized for this to work. 

// Shared DATA 

fpragma data_seg { " . SHARDATA") 

static HWND hwndMain = NULL; // Main hwnd. We will get this from the app. 
static int nLineHeight = 0; // Height of lines in window, 
fpragma data_seg{) 

• Add a SECTIONS statement to the DLL's .DEF file: 

SECTIONS 

.SHARDATA Read Write Shared 

• Create an .EXP file from the .DEF file: 

hooksdli . exp: hooksdll.obj hooksdll.def 
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$(implib) -machine :$ (CPU) \ 
-def: hooks . def \ 
hooksdll.obj \ 
-out : hooksdll . lib 

• Link with the HOOKSDLLEXP file: 

hooksdll.dll: hooksdll.obj hooksdll. def hooksdll. lib hooksdll. exp 

$(link) $(linkdebug) \ 

-base:OxlCOOOOOO \ 

-dll \ 
-entry: LibMain$ (DLLENTRY) \ 
-out: hooksdll. dll \ 

hooksdll. exp hooksdll.obj hooksdll. rbj \ 
$ (guilibsdli) 

Types of Hooks 
WH_CALLWNDPROC 

Windows calls this hook whenever the Windows SendMessage function is called. The filter 
functions receive a hook code from Windows indicating whether the message was sent from the 
current thread and receive a pointer to a structure containing the actual message. 

The CWPSTRUCT structure has the following form: 

typedef struct tagCWPSTRUCT { 
. LPARAM IParam; 
WPARAM wParam; 
DWORD message; 
HWND hwnd; 

} CWPSTRUCT, *PCWPSTRUCT, NEAR *NPCWPSTRUCT, FAR *LPCWPSTRUCT ; 

Filters can process the message, but cannot modify the message (this was possible in 16-bit 
Windows). The message is sent to the Windows function for which it was intended. This hook is a 
significant drain on system performance, especially when it is installed as a systemwide hook, so 
use it only as a development or debugging tool. 

WH_CBT 

To write a CBT application, the developer must coordinate the CBT application with the application 
for which It is written. Windows supplies the WH_CBT hook to make this possible, Windows passes 
a hook code to the filter function, indicating which event has occurred and the appropriate data for 
the event. 

A filter function attached to the WH_CBT hook needs to be aware often hook codes: 

• HCBT_ACTIVATE 

• HCBT^CREATEWND 

• HCBT„DESTROYWND 

• HCBT_MINMAX 

• HCBT_MOVESIZE 
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• HCBT_SYSCOMMAND 

• HCBT_CLICKSKIPPED 

• HCBT_KEYSKIPPED 

• HCBT_SETFOCUS 



• HCBT_QS 



HCBT_ACTIVATE 



Windows calls the WH_CBT hook with this hook code when any window is about to be activated. In 
the case of thread-specific hooks, the window must be owned by the thread. If the filter function 
returns TRUE, the window is not activated. 



The wParam parameter contains the handle to the window being activated. The IParam parameter 
contains a far pointer to CBTACTIVATESTRUCT, which has the following structure: 



typedef struct tagCBTACTIVATS STRUCT 

( 

BOOL fMouse; // TRUE if activation results from a 

// mouse click; otherwise FALSE. 
HWND hWndActive; // Contains the handle to the 

// currently active window. 
} CBTACTIVATESTRUCT, *LPCBTACTIVATESTRUCT ; 



HCBT CREATEWND 



Windows calls the WH_CBT hook with this hook code when a window is about to be created. In the 
case of thread-specific hooks, the thread must be creating the window. The WH_CBT hook is called 
before Windows sends the WM_GETMINMAXINFO, WM_NCCREATE, or WM_CREATE messages to 
the window. Thus, the filter function can return TRUE and not allow the window to be created. 

The wParam parameter contains the handle to the window being created. The IParam parameter 
contains a pointer to the following structure. 

/* 

* HCBT_ CREATEWND parameters pointed to by IParam 

struct CBT_CREATEWND 
{ 

struct tagCRE ATE STRUCT *ipcs; // The create parameters for the 

// new window. 

HWND hwndlnsertAfter; // The window this window will 

// be added after, in Z-order. 

} CBT CREATEWND, *LPCBT_CREATEWND; 



A filter function can alter the hwndlnsertAfter value or the values in /pes. 



HCBT DESTROYWND 



Windows calls the WH_CBT hook with this hook code when Windows is about to destroy any 
window. In the case of thread-specific hooks, the thread must own the window. Windows calls the 
WH_CBT hook before the WM_DESTROY message Is sent. If the filter function returns TRUE, the 
window Is not destroyed. 
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The wParam parameter contains the handle to the window being destroyed. The IParam parameter 
contains OL. 

HCBT_MINMAX 

Windows calls the WH_CBT hook with this hook code when Windows Is about to minimize or 
maximize a window. In the case of thread-specific hooks, the thread must own the window. If the 
filter function returns TRUE, the action does not occur. 

The wParam parameter contains the handle to the window being minimized or maximized. The 
IParam is any one of the SW_* values defined in WINUSER.H specifying the operation that is taking 
place. 

HCBT_MOVESIZE 

Windows calls the WH_CBT hook with this hook code when Windows is about to move or size a 
window, and the user has just finished selecting the new window position or size. In the case of 
thread-specific hooks, the thread must own the window. If the filter function returns TRUE, the 
action does not occur. 

The wParam parameter contains the handle to^the window being moved or sized. The IParam 
parameter contains an LPRECT that points to the drag rectangle. 

HCBT_SYSCOMMAND 

Windows calls the WH_CBT hook with this hook code when Windows processes a system command. 
In the case of a thread-specific hook, the thread must own the window whose System menu is 
being used. The WH_CBT hook is called from within DefWmdowsProc. If an application does not 
send the WH_SYSCOMMAND message to DefWindowsProc, this hook is not called. If the filter 
function returns TRUE, the system command is not processed. 

The wParam parameter contains the system command (SC_TASKLIST, SC„HOTKEY, and so on) 
that is about to be performed. If wParam is SC_HOTKEY, the LOWORD of IParam contains the 
handle to the window for which the hot key applies. If wParam contains any value other than 
SC_HOTKEY and if the System menu command is selected with the mouse, the LOWORD of IParam 
contains the horizontal position of the cursor and the HIWORD of IParam contains the vertical 
position of the cursor. 

The following system commands trigger this hook from within DefWindowProc: 



sc_ 


.CLOSE 


Close the window. 


sc. 


.HOTKEY 


Activate the window associated with the application-specified 
hot key. 


sc_ 


.HSCROLL 


Scroll horizontally. 


sc. 


.KEYMENU 


Retrieve a menu through a keystroke. 


sc_ 


.MAXIMIZE 


Maximize the window. 


sc_ 


.MINIMIZE 


Minimize the window. 


sc. 


.MOUSEMENU 


Retrieve a menu through a mouse click. 
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sc 


MOVE 


Move the window 


sc 


NEXTWINDOW 


Move to the next window 


sc 


PREVWINDOW 

_r r\i— V V y X I i_y V V 


Move to the oreviou^ window 


sc 


RESTORE 


Save the nreviou^ coordinate*^ frherknoint^ 


sc_ 


.SCREEN SAVE 


Execute the screen-save application. 


sc. 


.SIZE 


Size the window. 


sc. 


.TASKLIST 


Execute or activate the Windows Task Manager application. 


sc. 


.VSCROLL 


Scroll vertically. 



HCBT CLICKSKIPPED 



Windows calls the WH_CBT hook with this hook code when a mouse event is rennoved fronn a 
thread's input queue and the naouse hook is set. Windows will call a systemwide hook when a 
nnouse event is rennoved from any input queue and either a systemwide mouse hook or a thread- 
specific hook for the current thread is installed. This hook code is not generated unless a filter 
function is attached to the WH_MOUSE hook. Despite its name, HCBT„CLICKSKIPPED is called not 
only for skipped mouse events but also whenever a mouse event is removed from the system 
queue. Its main use is to install a WH JOURNALPLAYBACK hook in response to a mouse event. 
(See the "WM„QUEUESYNC" section below for more information.) 

The wParam parameter contains the message identifier for the mouse message— for example, the 
WM_LBUTTONDOWN or any WM_?BUTrON* messages. The IParam parameter contains a far 
pointer to MOUSEHOOKSTRUCT, which has the following structure: 

typedef struct tagMOUSEHOOKSTRUCT { 

POINT pt; // Location of mouse in screen coordinates 

HWND hwnd; // Window that receives this message 

UINT wHitTestCode; // The result of hit-testing (HT_*) 

DWORD dwExtralnfo; // Extra info associated with the current message 
} MOUSEHOOKSTRUCT, FAR ^LPMOUSEHOOKSTRUCT, *PMOUSEHOOKSTRUCT; 

HCBT_KEYSKIPPED 

Windows calls the WH„CBT hook with this hook code when a keyboard event is removed from the 
system queue and the keyboard hook is set, Windows will call a systemwide hook when a keyboard 
event is removed from any input queue and either a systemwide keyboard hook or a thread- 
specific hook for the current thread is installed. This hook code is not generated unless a filter 
function is attached to the WH_KEYBOARD hook. Despite its name, HCBT^KEYSKIPPED is called not 
only for skipped keyboard events but also whenever a keyboard event is removed from the system 
queue. Its main use is to install a WHJOURNALPLAYBACK hook in response to a keyboard event. 
(See the "WM_QUEUESYNC" section below for more information.) 

The wParam parameter contains the virtual-key code— the same value as wParam of GetMessage 
or PeekMessage for WM_KEY* messages. The IParam parameter contains the same value as the 
IParam parameter of GetMessage or PeekMessage for WM_KEY* messages. 

WM_QUEUESYNC 
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While executing, a CBT application often must react to events in the main application. Keyboard or 
mouse events usually trigger these events. For example, a user clicks an OK button in a dialog box, 
after which the CBT application wants to play a series of keystrokes to the main application. The 
CBT application can use a mouse hook to determine whether the OK button was clicked. Upon 
determining that it wants to play some keystrokes to the main application, the CBT application 
must wait until the main application completes the processing of the OK button before beginning to 
play the new keystrokes. The CBT application would not want to apply the keystrokes to the dialog 
box. 

The CBT application can use the Wr^_QUEUESYNC message to monitor the main application and 
determine when an action is completed. The CBT application monitors the main application with a 
mouse or a keyboard hook and looks for events to which it must respond. By watching the main 
application with a mouse or a keyboard hook, the CBT application becomes aware of when an 
event that needs a response begins. The CBT application must wait until the event is completed 
before responding to it. 

To determine when the action is complete, the CBT application takes these steps: 

1. The CBT application waits until it receives the WH„CBT hook with an HCBT_CLICKSKIPPED or 
an HCBT„KEYSKIPPED hook code from Windows. This happens when the event that is 
causing the action in the main application is removed from the system queue. 

2. The CBT application installs a WHJOURNALPLAYBACK hook. The CBT application cannot 
install this hook until it receives either the HCBT_CLICKSKIPPED or the HCBT_KEYSKIPPED 
hook code. The WHJOURNALPLAYBACK hook plays a WM_QUEUESYNC message to the CBT 
application. When the CBT application receives this message, it can respond to the original 
event. For example, the CBT application might play some keystrokes to the main application. 

HCBT_SETFOCUS 

Windows calls the WH_CBT hook with this hook code when Windows Is about to set the focus to 
any window. In the case of thread-specific hooks, the window must belong to the thread. If the 
filter function returns TRUE, the focus does not change. 

The wParam parameter contains the handle to the window that receives the focus. The IParam 
parameter contains the handle to the window that loses the focus. 

HCBT_QS 

Windows calls the WH_CBT hook with this hook code when a WM_QUEUESYNC message is removed 
from the system queue while a window Is being resized or moved. The hook is not called at any 
other time. In the case of thread-specific hooks, the window must belong to the thread. 

Both the wParam and IParam parameters contain zero. 
WH_DEBUG 

Windows calls this hook when Windows is about to call a filter function. Filters cannot modify the 
values for the hook but can stop Windows from calling the original filter function by returning a 
nonzero value. 

The wParam parameter contains the ID of the hook to be called, for example, WH_MOUSE. The 
IParam parameter contains a pointer to the following structure: 
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typedef struct tagDEBUGHOOKINFO 
{ 

DWORD idThread; // The thread ID for the current thread 
LPARAM reserved; 

LPARAM IParam; // The IParam for the target filter function 
WPARAM wParain; // The wParam for the target filter function 
int code; 

} DEBUGHOOKINFO, ^PDEBUGHOOKINFO, NEAR -NPDEBUGHOOKINFO, FAR* LPDEBUGHOOKINFO; 



WH FOREGROUNDIDLE 



Windows calls this hook when there is no user input to process for the current thread. In the case 
of thread-specific hooks, Windows calls the hook only when that thread is the current thread and 
there is no input for the thread. This is a notification-only hook; both the wParam and IParam 
parameters are zero. 



WH GETMESSAGE 



Windows calls this hook when the GetMessage or the PeekMessage function is about to return a 
message. The filter functions receive a pointer to a structure containing the actual message from 
Windows, The message, including any modifications, is sent to the application that originally called 
GetMessage or PeekMessage. The IParam parameter contains a pointer to a MSG structure: 



typedef struct tagMSG 
HWND hwnd; 
UINT message; 
WPARAM wParam; 
LPARAM IParam; 
DWORD time; 
POIl^T pt; 

} MSG; 



{ msg */ 

\\ The window whose Winproc will receive the message 
\\ The message nijmber 



\\ The time the message was posted 

\\ The cursor position in screen coordinates 

\\ of the message 



WH_HARDWARE 

This hook is not currently implemented in Win32. 
Journal Hooks 

Journal hooks are used to record and playback events. They are available only as systemwide 
hooks and should, therefore, be used as little as possible. These hooks affect all Windows-based 
applications; although the desktop allows no other hooks, journal hooks can record and play back 
events from and to the desktop. Another side-effect of journal hooks Is that all system input 
queues are attached though the thread that installed the hook. This means that all system input 
must pass through this one point of execution. 

Win32 takes special steps to allow a user to cancel a journal hook so that It does not lock the 
system. Windows will uninstall a record or playback journal hook when the user presses 
CTRL+ESC, ALT-f-ESC, or CTRL+ALT+DEL. Windows then notifies the application that had a journal 
hook Installed by posting a WM_CANCEUOURNAL message. 

WM„CANCEL30URNAL 

This message is posted with a NULL window handle so that it is not dispatched to a window 
procedure. The best way to catch this message is to install a WH_GETMESSAGE filter function that 
watches for the message. The Win32 documentation also mentions that an application can catch 
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the WM_CANCEUOURNAL message between a call to GetMessage (or PeekMessage) and 
DispatchMessage. Although the nnessage can be caught at this point, the application may not be 
there when the message is sent. For example, if the application Is in a dialog box, its main 
message loop will not be called. 

The CTRL+ESC, ALT+ESC, and CTRL+ALT-hDEL key combinations are built into the system so the 
user can always stop a journal hook. It would be nice if every application that uses a journal hook 
could also supply a way for the user to stop journalling. The suggested way to stop journaliing is by 
using VK_CANCEL (CTRL+BREAK). 

WHJOURNALRECORD 

Windows calls this hook when it removes an event from the system queue. Thus, these filters are 
called for all mouse and keyboard events except for those played back by a journal playback hook. 
Filters may process the message (that is, record or save the event in memory or on disk or both), 
but cannot modify or discard the message. Filters for this hook may reside in a DLL or an .EXE file. 
Only the HC„ACTION hook code is implemented in Win32. 

HC_ACTION 

Windows calls the WHJOURNALRECORD hook with this hook code when it takes an event from the 
system queue. The hook code signals the filter function that this is a normal event. The IParam 
parameter to the filter function contains a pointer to an EVENTMSG structure. The usual recording 
procedure is to take all EVENTMSG structures passed to the hook and store them in memory or, if 
events exceed memory storage capacity, write them to disk. 

The EVENTMSG structure is defined in WINDOWS. H and has the following structure: 

typedef struct tagEVENTMSG { 

UINT message; 

UINT paramL; 

UINT paramH; 

DWORD time; 

HWND hwnd; 
} EVENTMSG; 

typedef struct tagEVENTMSG *PEVENTMSG, NEAR *NPEVENTMSG, FAR *LPEVENTMSG; 

The message element of the EVENTMSG structure is the message ID for the message, the Wi^^_* 
value. The paramL and paramH values depend on whether the event is a mouse or a keyboard 
event. If it is a mouse event, the values contain the x and y coordinates of the event. If it is a 
keyboard event, paramL contains the scan code In the HIBYTE and the virtual-key code in the 
LOBYTE, and paramH contains the repeat count. Bit 15 of the repeat count specifies whether the 
event is an extended key. The time element of the EVENTMSG structure contains the system time 
(when the event occurred), which it obtained from the return value of GetTickCount. The hwnd is 
the window handle for the event. 

The amount of time between events is determined by comparing the time element of an event with 
the time of subsequent events. This time delta is needed when playing back the recorded events. 

WH_30URNALPLAYBACK 

This hook is used to provide mouse and keyboard messages to Windows as if they were inserted in 
the system queue. This hook is generally used to play back events recorded with the 
WHJOURNALRECORD hook, but also provides the best way to send events to another application. 
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Whenever a filter function is attached to this hook, Windows calls the first filter function in the 
function chain to get events. Windows discards any nnouse moves while WHJOURNALPLAYBACK is 
installed. All other keyboard and nnouse input is queued until the WH_JOURNALPU\YBACK hook has 
no filter functions attached. Filters for this hook nnay reside in a DLL or an .EXE file. A filter function 
attached to this hook needs to be aware of the following hook codes: 

• HC_GETNEXT 

• HC_SKIP 
HC.GETNEXT 

Windows calls the WH JOURNALPLAYBACK hook with this hook code when it accesses a thread's 
input queue. In most cases, Windows makes this call many times for the same message. The 
IParam parameter to the filter function contains a pointer to an EVENTMSG structure (see above). 
The filter function must put the message, the paramL value, and the paramH value into the 
EVENTMSG structure. These are usually copied directly from the recorded event made during 
WHJOURNALRECORD. 

The filter function must tell Windows when to process the message that the filter function is giving 
Windows. Windows needs two values for its scheduling: (1) the amount of time Windows should 
wait before processing the message; (2) the time at which the message is to be processed. The 
usual method of calculating the time to wait before processing is to subtract the EVENTMSG time 
element of the previous message from the EVENTMSG time element of the current message. This 
technique plays back messages at the speed at which they were recorded. If the message is to be 
processed immediately for much faster playback, the amount of time returned from the function is 
zero. 

The time at which the message should be processed is usually obtained by adding the amount of 
time Windows should wait before processing the message to the current system time obtained 
from GetTickCount. For immediate playback, use the value returned from GetTickCount. 

If the system is not otherwise active, Windows uses the values that the filter function has supplied 
to process the event. If the system is active, Windows examines the system queue. Each time it 
does, it asks for the same event with an HC_GETNEXT hook code. Each time the filter function 
receives HC„GETNEXT, it should return the new amount of time to wait, assuming that time 
elapsed between calls. The time element of the EVENTMSG structure and of the message, the 
paramH value, and the paramL value will probably not need changing between calls. 

HC_SKIP 

Windows calls the WHJOURNALPLAYBACK hook with this hook code when it has completed 
processing a message it received from WHJOURNALPLAYBACK. This occurs at the time that 
Windows would have removed the event from the system queue, if the event had been in the 
system queue instead of being generated by a WHJOURNALPLAYBACK hook. This hook code 
signals to the filter function that the event that the filter function returned on the prior 
HC__GETNEXT call has been returned to an application. The filter function should prepare to return 
the next event on the next HC_GETEVENT call. When the filter function determines that it has no 
more events to play back, it should unhook itself during this HC„SKIP call. 

WH^KEYBOARD 

Windows calls this hook when the GetMessage or the PeekMessage function is about to return a 
WM_KEYUP, WM„KEYDOWN, WM_SYSKEYUP, WM_SYSKEYDOWN, or WM„CHAR message. In the 
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case of thread-specific hooks, the message must be from the thread's input queue. The filter 
function receives the virtual-key code and the state of the keyboard at the time of the keyboard 
hook. Filters can tell Windows to discard the message. A filter function attached to this hook needs 
to be aware of the following two hook codes: 

• HC_ACTION 

• HC_NOREMOVE 
HC^ACTION 

Windows calls the WH_KEYBOARD hook with this hook code when an event is being removed from 
the system queue. 

HC_NOREMOVE 

Windows calls the WH_KEYBOARD hook with this hook code when there is a keyboard event that is 
not being removed because an application is calling PeekMessage with the PM_NOREMOVE 
option. If this hook code is passed, the key-state table will not accurately reflect the previous key 
state. An application needs to be aware of the existence of this condition. 

WH_MOUSE 

Windows calls this hook when a GetMessage or a PeekMessage function is called and Windows 
has a mouse message to process. Like the WH_KEYBOARD hook, this filter function receives a hook 
code, which indicates whether the message is being removed (HC_NOREMOVE), an identifier 
specifying the mouse message, and the x and / coordinates of the mouse. Filters can tell Windows 
to discard the message. Filters for this hook must reside in a DLL. 

WH^MSGFILTER 

Windows calls this hook when a dialog box, a message box, a scroll bar, or a menu retrieves a 
message, or when the user presses the ALT+TAB or ALT-hESC keys while the application that set 
the hook is active. This hook is thread specific, so it is always safe for its filter functions to reside in 
an application or in a DLL. The filter receives the following hook codes: 

• MSGF_DIALOGBOX: The message is for a dialog box or a message box. 

• MSGF_MENU: The message is for a menu. 

• MSGF_SCROLLBAR: The message is for a scroll bar. 

• MSGF__NEXTWINDOW: The next window action is about to take place. 

There are other MSGF_ values defined in WINUSER.H but they are not used in WH_MSGFILTER 
hooks at this time. 

The IParam parameter contains a pointer to a structure containing the message. The 
WH_SYSMSGFILTER hooks are called before the WH_MSGFILTER hooks. If any of the 
WH^SYSMSGFILTER hook functions return TRUE, the WH_MSGFILTER hooks are not called. 

WH SHELL 
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Windows calls this hook when actions occur to top-level (that is, unowned) windows. In the case of 
thread-specific hooks, Windows calls this hook only for windows that belong to the thread. This is a 
notification-only hook, so the filter function cannot modify or discard the event. The wParam 
parameter contains the handle to the window; the IParam parameter is not used. Three hook codes 
are defined in WINUSER.H for this hook: 

• HSHELL_WINDOWCREATED: Windows calls the WH_SHELL hook when a top-level window is 
created. The window already exists when this hook is called, 

• HSHELL_WINDOWDESTROYED: Windows calls the WH_SHELL hook when a top-level window 
is about to be destroyed. 

• HSHELL_ACTIVATESHELLWINDOW: This hook code is not used at this time. 
WH_SYSMSGFILTER 

This hook Is identical to WH_MSGFILTER except that it is a systemwide hook. Windows calls this 
hook when a dialog box, a message box, a scroll bar, or a menu retrieves a message, or when the 
user presses the ALT+TAB or ALT+ESC keys. The filter receives the same hook code as 
WH^MSGFILTER. 

The IParam parameter contains a pointer to a structure containing the message. The 
WH„SYSMSGFILTER hooks are called before the WH_MSGFILTER hooks. If any of the 
. WH_SYSMSGFILTER hook functions return TRUE, the WH_MSGFILTER hooks are not called. 



Send feedback on this article. Find support options . 

© 2001 Microsoft Corporation. All rights reserved. Terms of use. 
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APPENDIX HE 

Hooksdil.c 



//win9x and WINDOWS2000 

// Encryption & Decryption routines 



Windows hooks Application - The DLL 

This application determines how to change Windows hooks. 

This File contains the source code for the hooksdll, encryption blah blah blah 

Author: Kyle Marsh 

Windows Developer Technology Group 
Microsoft Corp 

Author: The Software Works Corporation 
1.800.448.8817 



// 


T. Regan 


4/2/99 


// 


T. Regan 


4/3/99 


// 


T. Regan 


4/10/99 


// 


T. Regan 


4/11/99 


// 


T. Regan 


4/16/99 


// 


T. Regan 


4/17/99 


// 


T. Regan 


4/20/99 


// 






// 


T. Regan 


5/2/99 


// 


etc, etc 




// 






// 


copyright stuff here 



Added WH_SHELL handling. 

Begin saving information to cheat file. 

Merged Chris' code in. 

Added start time and elapsed time. 

Timer synchronization. Delete ft)_time in ExitHooksDll. 

Cleanup. 

Change elapsed timer: save in file start time, current time, penalty time 

Keep 2 copies of the file - in case one is trashed during reboot. 
Comment out fprintf(§)_cheat, "NO CHEATING HAS BEEN DETECTED\n"); from ExitHooksDll. 



// 
//- 



#include "windows.h" 
#include "windef h" 
^include "winbase.h" 
#include "mailoc.h" 
#include "string.h" 
#include "hooks32,h" 
#include "stdlib.h" 
#include "stdio.h" 
#inc]ude "time.h" 



#define HW_PROFILE_GUIDLEN 39 // 36-characters plus NULL terminator 
#defme MAX_PROFILE_LEN 80 
#define MAXLTH 100 



ifdef USE„BLOCK_CrPHER 
// defines for RC2 block cipher 
#defme ENCRYPT_ALGORITHM 
#define ENCRYPT_BLOCK_SIZE 
#else 

// defines for RC4 stream cipher 
#defme ENCRYPT.ALGORITHM 
#defme ENCRYPT_.BLOCK_SIZE 
#endif 



CALG_RC2 
8 



CALG_RC4 
1 



typedef BOOL (CALLBACK *PROCENUMPROC)( DWORD, WORD, LPCSTR, LPARAM ); 
BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ); 

#include <tlhelp32-h> 
^include <vdmdbg.h> 

^include "stdio.h" 
typedef struct 
{ 

DWORD dwPID; 
PROCENUMPROC IpProc; 
DWORD IParam; 
BOOL bEnd; 
} EnumlnfoStruct; 

// 10 use this function, declare the following 

//BOOL CALLBACK Proc ( DWORD dw, WORD wl6, LPCSTR Ipstr, LPARAM IParam ); 



// arrays of start and current processor list 
# define max_count35 
PROCESSENTRY32 startProcs[max_count]; 
PROCESSENTRY32 currentProcs[max_count] ; 
PROCESSENTRY32 vaiidProcs[max_count]; 
BOOL firstTime; 



BOOL WINAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 

PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefined ) ; 
BOOL GetWordPath(LPOLESTR szApp, LPSTR szPath, ULONG cSize); 

void nuIlCurrentProcListO; 
void kiUAIlNonValidProcsO; 



// 

// Macros and typedefs 

// 

#defme WM_UNHOOK ( WM_APP + 0x2500 ) 

#defme GETDEFWNDPROC( h ) ( (WNDPROC) GetWindowLong( h, GWL_WNDPROC ) ) 

II 

// Function declarations 

II, 

int CALLBACK BeginThread 0; 

int CALLBACK EndThread Q; 

int CALLBACK CheckUserSid(LPSTR outDomainName,LPSTR outUserName); 

int CALLBACK SaveUserSidQ; 

int CALLBACK LogoffCurrentUserQ; 

BOOL RemoveWindow(HWND hWnd); 

BOOL CALLBACK LibMain(HANDLE hModule, DWORD dwReason, LPVOID IpReserved); 
int CALLBACK WEP (int bSystemExit); 

int CALLBACK InitHooksDn(HWND hwndMainWindow, int nWinLineHeight); 

int CALLBACK PaintHooksDn(HDC hDC ); 

int CALLBACK InstallFilter (int nHooklndex, int nCode ); 

int CALLBACK ExitHooksDll(HWND hwndMainWindow, int nWinLineHeight); 

/* Function to encrypt the file (any file format)*/ 

BOOL CALLBACK CAPIDecryptFile(PCHAR szSource, PCHAR szDestination, PCHAR szPassword); 
/* Function to decrypt the file (any file format)*/ 

BOOL CALLBACK CAPIEncryptFile(PCHAR szSource, PCHAR szDestination, PCHAR szPassword); 
/* Function used to create the vault space in your system so that the encryption 
decryption routines will work fine*/ 
/////for fhGetPrivatelnfo 

int CALLBACK fiiGetPrivateInfo(LPSTR inStr,LPSTR rtStr^int CallSeq); 
long AddAliAsc(LPSTR inStr); 
char iong2char(long inVal); 



int stringlen(LPSTR inStr); 

int GetWinVer(void); 

int SaveTickReg(long tick); 

long ReadTickRegO; 

/////for fnGetPrivatelnfo -end 



BOOL CALLBACK InitUserQ; 

int CALLBACK CheckStart(void); 

char *szMessageString(int ID); 

LRESULT CALLBACK CallWndProcFunc (int nCode, WPARAM wParam, LP ARAM iParam ); 
LRESULT CALLBACK CbtFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK GetMessageFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULT CALLBACK JoumalPlaybackFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK JoumalRecordFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULT CALLBACK KeyboardFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK MouseFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK SysMsgFilterFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK DebugFiiterFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULTCALLBACK ShellFilterFunc (int nCode, WPARAM wParam, LPARAM IParam ); 
LRESULT CALLBACK LowLevelKeyboardProc(int nCode,WPARAM wParam,LPARAM IParam); 

DWORD WINAPI ThreadProc(LPVOID ipParameter); 

BOOL CALLBACK EnumWindowsProc(HWND hwnd,LPARAM IParam); 

// 

// Global Variables... 

// 

^pragma data_seg("Shared") 
static int bEnableDBCIick=0; 
struct CHookltem 
{ 

// Member variables 

HWND m_hWnd ;//the wnd handle of the hook windows. 

WNDPROC m_HookWndProc ;// 

WNDPROC m_DefWndProc 'Jf 

}g_HookList[255]; 
DWORD ValidProcessID[255]; 
long const g_HookList_Num = 255; 
// 

// Hook Handles 
// 

HHOOK hhookHooks[NUMOFHOOKS]; 
^^pragma data^segO 

^pragma comment(Unker, "/section: Shared,rws") 

//James add begin 

HANDLE hThread=NULL; 
BOOL bStart-FALSE; 
//James end 



HANDLE hinstance; // Global instance handle for DLL 

int InitCalled = 0; // Has the Init function been called ? 

char szType[64]; // A Place to write temporary strings 

DWORD dwStartRecordTime; // Time JoumalRecord Started 

typedef struct TAGEventNode { 

EVENTMSG Event; 

struct TAGEventNode *IpNextEvent; 
} EventNode; 

EventNode *IpEventChain = NULL; // Head of recorded Event List 
EventNode *IpLastEvent = NULL; // Tail of recorded Event List 

EventNode *IpPIayEvent ^ NULL; // Current Event being played 



//Global Declaration for Start Time 
SYSTEMTIME starttime; //tpr 4/1 7/99 not used 
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// 

// My Hook States 
// 

int HookStates[NUMOFHOOKS] = { 0,0,0,0,0,0,0,0,0,0,0,0 } ; // State Table of my hooks 

// 

// Hook Codes 
// 

int HookCodes[NUMOFHOOKS] = { 

WH_CALLWNDPROC, 
WH_CBT, 

WH_GETMESSAGE, 

WHJOURNALPLAYBACK, 

WHJOURNALRECORD, 

WH_KEYBOARD, 

WH_MOUSE, 

WH_MSGFILTER, 

WH_SYSMSGFILTER, 

WH_DEBUG, 

WH^SHELL, 

WH_KEYBOARD_LL 

}; 



// Filter Function Addresses 

FARPROC lpfiiHookProcs[NUMOFHOOKS] - { 

(FARPROC) CallWndProcFunc, 
(FARPROC) CbtFunc, 
(FARPROC) GetMessageFunc, 
(FARPROC) JoumalPIaybackFunc, 
(FARPROC) JoumalRecordFunc, 
(FARPROC) KeyboardFunc, 
(FARPROC) MouseFunc, 
NULL, 

(FARPROC) SysMsgFilterFunc, 

(FARPROC) DebugFilterFunc, 
(FARPROC) ShellFilterFunc, 

(FARPROC) LowLevelKeyboardProc 

}; 



// 

// Output Lines 
// 

char szFilterLine[NUMOFHOOKS][128]; 
// Set up cheat detection file to capture key messages 



FILE *^_cheat; 
FILE *ft)„time; 
FILE *Qj_time_copy; 
char start_date[9]; 
char start_time[9]; 
char cur_date[9]; 
char cur_time[9]; 

time_t start; 
time_t finish; 
double penalty; 
double elapsed; 
BOOL bgotstarttime; 



// cheat file 
// time file 
// time file copy 

// used to capture the current date 
// used to capture the current time 
// used to capture the current date 
// used to capture the current time 

// start time 
// finish time 

// penalty time (time during reboot) 
// elapsed time 
// flag to indicate start time has been acquired 



//Shared DATA 

#pragma data_seg("SHARDATA") 

static HWND hwndMain = NULL; // Main hwnd. We will get this from the App 

static int nLineHeight = 0; // Heigth of lines in window 

#pragma data_segO 



II 

// LibMain 

//. 

BOOL CALLBACK LibMain(HANDLE hModuIe, DWORD dwReason, LPVOID IpReserved) 
{ 

hinstance = hModule; 
return 1 ; 

} 

//. 

11 WE? 

II 

int CALLBACK WEP (int bSystemExit) 
{ 

return(l); 

} 

// 

// Function : HookProc 

// Description : Function that encapsulates the hook 

/ / 

#include <time.h> 

struct CHookltem* g_HookList_fmd(HWND in) 
( 

int i; 

for(i=0;i< g_HookList_Num;i++) 
{ 

ifi(g_HookList[i].m_hWnd !=NULL) 

if(g_HookList[i].m_hWnd = in) 

return &(g_HookList[i]); 

} 

return NULL; 

} 

void g_HookList_erase(struct CHookltem * in) 
{ 

in->m_hWnd-NULL; 
in->m_DefWndProc = NULL; 
in->m_HookWndProc =NULL; 

} 

struct CHookltem * g_HookList_Add(HWND in) 
{ 

Struct CHookltem * t; 
int i; 

t = g_HookList_fmd(in); 
if{t) 

return t; 

for ( i=0;i<g_HookList_Num;i++) 
{ 

if(g_HookList[i].m_hWnd = NULL) 
{ 

return &(g_HookList[i]); 

} 

} 

return NULL; 

[result CALLBACK HookWndProc( HWND hWnd, UINT Msg, WPARAM wParam, LPARAM IParam ) 
{ 

struct CHookltem *it=NULL; 

it = g_HookList_fmd{hWnd ) ; 

// Search for a known window, quit if unknown 

if(it = NULL) 

{ 

return 0; 

} 



// Hook messages 



switch( Msg ) 
{ 

case WM_UNHOOK: 

// Message send by DLL on unhook! 

SetWindowLong( hWnd, GWL_WNDPROC, (long) it->m_DefWndProc ); 
g_HookList_erase(it); 

SendMessage( hWnd, WMJKCPAINT, 1,0); 
return 0; 

case WM_NCDESTROY: 

// CLog::PutLog( "* WM_NCDESTROY * HWND = %08X * P: %08X *\r\n", hWnd, 

GETDEFWNDPROC( hWnd ) ); 

SetWmdowLong( hWnd, G\VL_WNDPROC, (long) it->m_DefWndProc ); 
CaIlWindowProc( it->m_DefWndProc, hWnd, Msg, wParam, IParam ); 

g_HookList_erase( it); 
return 0; 
case WM_CREATE: 
{ 

chartmpStr[80]; 

GetClassName(hWnd,tmpStr,80); 

if(stricmp(tmpStr,"WinPopup")=0 ) 
{ 

return -1; 

} 

} 

case WM_CONTEXTMENU: 

return 0; 
case WM_CLOSE: 

{ 

char tmpStr[80]; 

GetClassName(hWnd,tmpStr,80); 

if(stricmp(tmpStr,"WinPopup")=0 ) 
{ 

DestroyWindow(hWnd); 
return 0; 

} 

} 

default: 

break; 

} 

// We didn't process the message, so process with default window procedure 
return CallWindowProc( it->m_DefWndProc, hWnd, Msg, wParam, IParam ); 

} 



// 

//InitHooksDll 

11 

int CALLBACK InitHooksDlI(HWND hwndMain Window, int nWinLineHeight) 
{ 

GetSystemTime(&starttime); 

hwndMain = hwndMain Window; 
nLineHeight = nWinLineHeight; 

// fp„cheat = fopen("c:\\cheatfile.txt", "w+''); 

f^^cheat = fopenC'crWcheatfile.txt", "a"); 
_strdate(start_date); 
_strtime(start_time); 

fprintf(fp_cheat, "exam start date: %s\n", start_date); 
^rintf(^_cheat, "exam start time: %s\n", startjime); 
^rintf(f^_cheat,"No Cheating detected"); 
fclose(fp_cheat); 



InitCailed = l; 



bgotstarttime = FALSE; 



return (0); 

} 

II 

//ExitHooksDll 

// 

int CALLBACK ExitHooksDll(HWND hwndMainWindovv, int nWinLineHeight) 
{ 

hwndMain = hwndMamWindow; 
nLineHeight = nWinLineHeight; 

fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

_strdate(cur_date); 

_strtime(cur_time); 

//^rintf(fp_cheat, "NO CHEATING HAS BEEN DETECTED\n"); 
fprintf(fp_cheat, "exam end date: %s\n", cur_date); 
fprintf(fp_cheat, "exam end time: %s\n", cur_time); 
fciose(fp_cheat); 
DeleteFiie("c:\\timefiIe.txt"); 

return (0); 

} 

//. ™ 

// PaintHooksDlI 

If. 

int CALLBACK PaintHooksDIl{HDC hDC ) 
{ 

// inti; 

// for(i-0;i<NUMOFHOOKS;i++){ 

// if ( HookCodes[i] != WH_MSGFILTER && HookStates[i] ) 

// TabbedTextOut(hDC, L nLineHeight * i, 

// (LPSTR)szFilterLine[i], strien(szFilterLine[i]), 0, NULL, 1); 

// } 

return (0); 

} 

II 

// InstallSysMsgFilter 

// 

// Install / Remove Filter function for the WH_SYSMSGFILTER 

// 

// 

int CALLBACK InstallFilter (int nHooklndex, int nCode ) 
{ 

if(!InitCaIled){ 

return (-1); 

} 

if(nCode){ 

hhookHooks[nHookIndex] == 

SetWindowsHookEx(HookCodes[nHookIndex], (HOOKPROC) IpfiiHookProcs[nHookIndex], hinstance, 0); 
HookStates[nHookIndex] = TRUE; 

} 

else { 

UnhookWindowsHookEx(hhookHooks[nHookIndex]); 
HookStates[nHookIndex] = FALSE; 
InvalidateRect(hwndMain, NULL, TRUE); 
UpdateWindow(hwndMain); 

} 

return 0; 

} 
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I! 

// LowLevelKeyboardProc 

// 

// Filter function for the WH__KEYBOARD_LL 

// 

II 

LRESULT CALLBACK LowLevelKeyboardProc (INT nCode, WPARAM wParam, LPARAM IParam) 
{ 

// By returning a non-zero value from the hook procedure, the 
II message does not get passed to the target window 
KBDLLHOOKSTRUCT *pkbhs = (KBDLLHOOKSTRUCT *) IParam; 
BOOL bControlKeyDown = 0; 

switch (nCode) 
{ 

case HC„ACTION: 
{ 

// Check to see if the CTRL key is pressed 

bControlKeyDown = GetAsyncKeyState (VK_CONTROL) » ((si2eof(SHORT) * 8) - 1); 
// Disable CTRL+ESC 

if (pkbhs->vkCode = VK_ESCAPE && bControlKeyDowTi) 
return 1; 

//Disable ALT+TAB 

if (pkbhs->vkCode = VK_TAB && pkbhs->flags & LLKHF_ALTDOWN) 
return 1; 

//Disable ALT+ESC 

if (pkbhs->vkCode == VK_ESC APE && pkbhs->flags & LLKHF_ALTDOWN) 
return 1; 

// Disable Ctrl+ALT+Del 

if (bControlKeyDown && pkbhs->vkCode = VK_DELETE && pkbhs->flags & LLKHF_ALTDOWN) 
return 1; 

// Disable Windows key 
if (pkbhs->vkCode = VK_LWIN H pkbhs->vkCode = VK_RWIN) 
return 1; 

/* // Check to see if the VK_LWIN key is pressed 

bControlKeyDown - GetAsyncKeyState (VK_LWIN) » ((sizeof(SHORT) * 8) - 1); 
if(bControlKeyDown) 
return I; 

else 
{ 

// Check to see if the VK_RWIN key is pressed 

bControlKeyDown = GetAsyncKeyState (VK_RWIN) » ((sizeof(SHORT) * 

8)-l); 

if(bControlKeyDown) 
return 1; 

} 

*/ 

break; 

} 

default: 
break; 

} 

return CallNextHookEx (hhookHooks[LowLevelKeyboardProcIndex], nCode, wParam, IParam); 

} 



// 

// CallWndProcFunc 

// 

// Filter function for the WH_CALLWNDPROC 

// 

II 

LRESULT CALLBACK CailWndProcFunc (int nCode, WPARAM wParam, LP ARAM IParam ) 
{ 

// HDC hDC; 
PCWPSTRUCT pParamStnict; 
int nVirtKey;//pugal 



if(nCode >=0) 
{ 

LPCREATESTRUCT pCs; 

LPCWPSTRUCT pCwp - (LPCWPSTRUCT) IParam ; 
struct CHookltem * pi tern = g_HookList_find( pCwp->hwnd ); 
char tmpStr[80]; 



switch( pCwp->message ) 
{ 

case WM_NCCREATE: 

pCs - (LPCREATESTRUCT) pCwp->lParam; 
GetCl assName(pCwp->hwnd,tmpStr, 8 0) ; 

if(stricmp(tmpSfr,"WinPopup")==0 |i 

stricmp(tmpStr;'_WwG")==0 || 
stricmp(tmpStr,"SysListView32")=-0) 

{ 

//CLog::PutLog( "* WM_NCCREATE * HWND - %08X * P: %08X *\r\n", 
pCwp->hwnd, GETDEFWNDPROC( pCwp->hwnd ) ); 

// Add item to hook list 

if(g_HookList_fmd( pCwp->hwnd ) NULL) 
{ 

struct CHookltem *rNewItem = g_HookList_Add(pCwp->hvvnd); 

rNewItem->m_hWnd = pCwp->hwnd; 
rNewItem->m_HookWndProc ^ HookWndProc; 
rNewItem->m_DefWndProc NULL; 

} 

} 

break; 

/* 

case WM^CONTEXTMENU: 

if(g_HookList.fmd( pCwp->hwiid ) = g_HookList-endO) 
{ 

CHookltem &rNewItem = g_HookList[pCwp->hwnd]; 
rNewItem.m_hWnd = pCwp->hwnd; 
rNewItem.m_HookWndProc = HookWndProc; 
rNewItem.m_DefWndProc = NULL; 

pItem->m_DefWndProc = GETDEFWNDPROC( pCwp->hwnd ); 
SetWindowLong( pCwp->hwnd, GWL_WNDPROC, (long) 

HookWndProc ); 

} 

*/ 

case WM_NCPAINT: 
{ 

struct CHookltem * pltem2 - g_HookList_fmd( pCwp->hwnd ); 
LONGtype=0; 

type = GetWindowLong(pCwp->hwnd ,GWL_EXSTYLE); 

if(type & WS_EX_CONTEXTHELP) 

{ 

type = type & (~WS_EX_CONTEXTHELP); 
SetWindowLong(pCwp->hwnd ,GWL_EXSTYLE,type); 

} 

if((pltem2 != NULL ) && ( pltem2->m_DefWndProc = NULL ) ) 
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{ 

//--in fact 

pItem2->m_DefWndProc - GETDEFWNDPROC( pCwp->h\\nd 

); 

SetWindowLong( pCwp->hwnd, GWL_WNDPROC, (long) 

HookWndProc ); 

{ 

GetCIassName(pCwp->hwnd ,tmpStr,80) ; 

if(stricmp(tmpStr;'WinPopup")==0) 
( 

PostMessage(pCwp->hwnd 

,WM_CLOSE,0,0); 

} 

} 



} 

} 

break; 

default; 

break; 

} 

} 



// 

// We looked at the message ... sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx. 

// 

return CanNextHookEx(hhookHooks[CALLWNDPROCINDEX], nCode, wParam, IParam); 

} 

II 

// CbtFunc 

// 

// Filter function for the WH_CBT 

// 

II. 

LRESULT CALLBACK CbtFunc (int nCode, WPARAM wParam, LP ARAM IParam ) 
{ 

// HDC hDC; 
CBTACTIVATESTRUCT *Active; 
LPMOUSEHOOKSTRUCT MouseHookParam; 
LPCBT_CREATEWND CreateWndParam; 
LPRECT Rect; 

char s2CiassName[255],szTitIe[255]; 

// int proc 1 ,no_of_chars; 

if(nCode>=0){ 
switch ( nCode ) { 

case HCBT_ACTrVATE: 
break; 

case HCBT_CLICKSKIPPED: 
break; 

case HCBT_CREATEWND: 
{ 

TCHARbuf[255]; 
HWND hSpellFirst^hSpellOptions; 
GetClassNanie((HWND)wParam,buf,sizeof(buf)); 

hSpellFirst - FindWindowEx(NULL,NULL;'bosa_sdm_Microsoft Word 9.0",NULL); 

if(hSpeIlFirst) 

{ 



9.0",NULL); 



hSpellOptions = FindWindowEx(NULL,hSpeUFirst,"bosa_sdm_Microsoft Word 

if(hSpelIOptioiis ) 
{ 

GetWindowText(hSpenFirst,buf,sizeof(buf)), 

CharUpper(buf); 
if(strstr(buf,"SPELLrNG") 1| strstr(buf;TIND")) 
{ 

return 1; 

} 

} 

if(hSpelIFirst !- (HWND)wParam) 
{ 

GetClassName((HWND)wParam,buf,sizeof(buf)); 

if(stricmp(buf,"MSOUNISTAT")=0) 

{ 

return 1; 

} 

} 



break; 

case HCBT_DESTROYWND: 
break; 

case HCBT_KEYSKIPPED: 
break; 

case HCBT_MINMAX: 
switch ( LOWOR0(IParam) ) { 
case SW_HIDE: 

strcpyCszType, "SW_HIDE"); 

break; 

case SW_NORMAL: 

strcpy(szType, "SW_NOFMAL"); 

break; 

case SW_SHOWMINIMIZED: 

strcpy(szType, "SW_SHOWMINIMIZED"); 

break; 

case SW_MAXIMIZE: 

strcpy(szType, "SW_MAXIMIZE"); 

break; 

case SW_SHOWNOACTIVATE: 

strcpy(szType, "SW„SHOWNOACTIVATE"); 

break; 

case SW_SHOW: 

strcpy(szType, "SW_SHOW"); 

break; 

case SW_MINIMIZE: // disable minimize button rayh 

//strcpy(szType, "SW_MINIMIZE"); 

//break; 

return 1; 

//case SW_CLOSE: // disable close button rayh 

//strcopy(szType, "SW_CLOSE"); 
//break; 

// return 1; //undeclared compile error SW_CLOSE 

case SW_SHOWMrNNOACTIVE: 

strcpy(szType, "SW_SHOWMINNOACTIVE"); 

break; 
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case SW_SHOWNA: 

strcpy(szType, "SW_SHOWNA"); 

break; 

case SW_RESTORE: 

strcpy(szType, "SW_RESTORE"); 

break; 
default: 

strcpy(szType," Unknown Message"); 

) 

break; 

case HCBT_MOVESIZE: 
Rect = (LPRECT) IParam; 
break; 

case HCBT_QS: 
break; 

case HCBT^SETFOCUS: 
break; 

case HCBT_SYSCOMMAND: 
switch ( wParam ) { 

case SC_SIZE: 

return 1; 

strcpy(szType,"SC_SIZE"); 

break; 

case SC_MOVE: 
return 1; 

strcpy(szType/'SC_MOVE"); 

break; 

case SC_MINIMIZE: 
return 1; 

strcpy(szType;'SC_MINIMIZE"); 

break; 

case SC_MAXIMIZE: 

strcpy(szType;'SC_MAXIMIZE"); 

break; 

case SC_NEXTWINDOW: 

strcpy(szType,"SC_NEXTWINDOW"); 

break; 

case SC_PREVWINDOW: 

strcpy(szType,''SC_PREVWINDOW"); 

break; 

case SC_CLOSE: 
return 1; 

strcpy(szType,"SC_CLOSE"); 

break; 

case SC_VSCROLL: 

strcpy(szType,"SC_VSCROLL"); 

break; 

case SC_HSCROLL: 

strcpy(szType,"SC_HSCROLL"); 

break; 

case SC_MOUSEMENU: 
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break; 



return 1; 

strcpy(szType,"SC_MOUSEMENU"); 



case SC_KEYMENU: 
return 1; 

strcpy(szType;'SC_KEYMENU"); 

break; 

case SC„ARRANGE: 

strcpy(szType,"SC_ARRANGE"); 

break; 
caseSC RESTORE: 



//Who 
//Date 

// Reason : test 
#ifO //Delete-- 



#endif // Delete - 



; Robin wei 

: 00-9-8 17:22:44 



break; 



• [Begin] 
return 1; 
— [End] 



strcpy(szType,"SC_RESTORE"); 



} 



case SC^TASKLIST: 

strcpy(szType;'SC_TASKLIST"); 

break; 

case SC_SCREENSAVE: 

strcpy(szType;'SC_SCREENSAVE"); 

break; 

case SC_HOTKEY: 

strcpy(szType;'SC_HOTKEY"); 

break; 



default: 



strcpy(szType, "Unknown Message"); 



break; 



// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, U nLineHeight * CBTINDEX, 

// (LPSTR)szFiiterLine[CBTINDEX], 

// strlen(szFiIterLine[CBTINDEX]), 0, NULL, I); 

// ReleaseDC(hwndMain, hDC); 

// save information to cheat file 
// fp_cheat-= fopen("c:\\cheatfile.txt", "a"); 
// fprintf(fp_cheat, "CBT %s\n", szFilterLine[CBTrNDEX]); 
// fclose(^__cheat); 

} 



// We looked at the message ... sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx. 



retum(CallNextHookEx(hhookHooks[CBTINDEX], nCode,wParam, IParam)); 



GetMessageFunc 

Filter function for the WH_GETMESSAGE 
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//. 

LRESULT CALLBACK GetMessageFunc (int nCode, WPARAM wParam, LPARAM IParam ) 
{ 

MSG *lpMsg; 

// Who : Robin wei 
//Date : 9/14/00 3:03:19 PM 
// Reason : Add action for Ctrl+T in Word 
//Modify [Begin] 

if(nCode >=0) 
{ 

char szClassName[20]; 

IpMsg - (MSG *) IParam; 
// disable power button 

ifi(lpMsg->message ^ WM_POWERBROADCAST) 
return 1; 

ZeroMemory(szCIassName,sizeof(szClassName)); 
GetClassName(lpMsg->hwnd ,szCIassName,sizeof(szCIassNanie)); 
if(strcmp(szClassName,"_WwG")=0) // is word 
{ 

if(lpMsg->message = WM_KEYDOWN) 

{ 

if ((GetKeyState(VK__CONTROL) & 0x80 ) && 

lpMss->wParam = T) //IsCtrl+T 

{ 

// Check whether the exam has began? 
HKEYkey; 

if( RegOpenKeyEx(HKEY__CURRENT_USER, 

"SoftwareWMicrosoftWwindowsWCurrentVers ion" , 
0,KEY_QUERY_VALUE,&key) 

==ERROR_SUCCESS) 

{ 



RegQueryValueEx(key,"SSI_STARTnME",0,&type,starttime,&cb); 



Elasped_Total,eHour,eMin,eSec; 



char starttime[80]; 
LONG result; 
DWORD cb,type; 

ZeroMemory(starttime,sizeof(starttime)); 
cb=^ sizeof(starttime); 
result = 



RegCloseKey(key), 
if(ERROR_SUCCESS = 



= result) 



char szBackTime[20],*szNormal; 
int i; 

// remove the space. 
for{i=0;i<strIen(starttime);i-H-) 

{ 

szNormal == &starttime[i]; 
if(*szNormal != ") break; 

} 

strcpy(szBackTime,szNormaI); 
strcpy(szBackTime,szNormaI); 
if(strcmp(szNormal,"00:00:00")!=0) 
{ 

int year,month,day,hh,mm,ss; 
struct tm *CurTime; 
time_t t; 
long 

charnisg[80]; 

char *PPP,szFormat[80]; 
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PPP - strpbrk(szBackTime,7-"), 



tiine(&t); 

CurTime = ioca!time(&t); 



sp^mtf(szFo^mat;•%s%c%s%c%s^''%d^*PPP;'%d^*PPP/'%d%d:%d.%d"); 

sscanf(szBackTime,szFonnat,&month,&day,&year,&hh,&mm,&ss); 
>tm_mday - day ) * 3600 * 24 + (CurTime->tm_hour - hh) * 3600 + 
mm) * 60 + CurTime->tm_sec - ss; 

60; 

3600) - (eMin * 60); 

sprintf(szFormat, "Current Time: 
%s%c%s%c%s";'%02d",*PPP;'%02d",*PPP,"%04d %02d:%02d:%02d \nEIapsed Time: %02d:%02d.%02d"); 

sprintf{msg,szFormat, 

CurTime- 

>tm_mon +1 ,CurTime->tm_mday ,CurTime->tm_year +1900,CurTime->tm_hour ,CurTime->tm_min ,CurTime->tm_sec , 



E!asped_Total = (CurTime- 

(CurTime->tm_min - 



eHoiir - EIasped_Total / 3600; 
eMin- (Elasped_Total%3600 )/ 

eSec - Elasped^Total - (cHour * 



eHour,eMin,eSec); 
,msg,"Securexam Student",MB_OK); 



MessageBox(lpMsg->hwnd 



return 1; 



else 
{ 



Ctrl+T 



if(stricmp(szCIassNaine,"bosa_sdm_Microsoft Word 9.0")==0) // is word 
{ 

if(lpMsg->message WM„SYSKEYDOWN) 
{ 

if ((GetKeyState(VK_MENU) & 0x80 ) && 

(lpMsg->wParam = 'O' \\ lpMsg->wParam == 'o')) // Is 

{ 

fp_cheat = fopen('*c:\\cheatfiletxt", "a"); 
fi3rintf(fp_cheat, "ALT„0 : \n"); 
fclose(^_cheat); 

if(bBBB) 
{ 

return 1; 

}else 

bBBB = TRUE; 

} 

}else if(lpMsg->message = WM_SETFOCUS) 
{ 

fiD_cheat = fopen("c:\\cheatfile.txt", "a"); 
Q)rintf(ip_cheat, "WM_SETFOCUS : \n"); 
fclose(fp_cheat); 
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}eise if(lpMsg->message = WM_KILLFOCUS) 
{ 

ft)_cheat = fopen("c:\\cheatfile.txt", "a"); 
lprintf(fp_cheat, "WM_KILLFOCUS : \n"); 
fc]ose(fp_cheat); 

} 



*/ 

// else if(strcmp(szCiassName,"bosa_sdm_Microsoft Word 9.0")~0) 

// { 

// if(ipMsg->message = WM_MOUSEACTIVATE) 

// return 1 ; 

// } 
} 

//Modify [End] 



// 

// We looked at the message ,„ sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx. 

// 

return CallNextHookEx(hhookHooks[GETMESSAGEINDEX], nCode, wParam, IParam); 



JoumaiPlaybackFunc 

Filter function for the WH JOURNALPLAYBACK 



LRESULT CALLBACK JoumaiPlaybackFunc (im nCode, WPARAM wParam, LPARAM IParam ) 

static int nRepeatRequests; 
static DWORD dwTimeAdjust; 
static DWORD dwLastEventTime; 
// HDC hDC; 

LPEVENTMSG IpEvent; 

long IRetumValue; 

HMENU hMenu; 



if(nCode >=0) 
{ 

// No Playback if we haven't recorded an Event 

// 

// No Playback While recording. 

// This is not a limitation of the hooks. 

// This is only because of the simple event storage used in this example 

// 

// We should never get here since the enable / disable menu stuff should 

// make getting here impossible 

// 

if( lpEventChain-=NULL || HookStates[JOURNALRECORDINDEX]) 
{ 

InstaliFilter(JOURNALPLAYBACKINDEX, FALSE); 
hMenu - GetMenu(hwndMain); 

CheckMenuItem(hMenu, IDMJOURNALPLAYBACK, MF_UNCHECKED | MF_BYCOMMAND); 
EnableMenuItem(hMenu, IDMJOURN ALPLAYB ACK, MF_DIS ABLED 1 MF_GRAYED | 

MF_BYCOMMAND); 

wsprintf((LPSTR)s2FilterLine[J0URNALPLAYBACKINDEX], 

" WH_JOURNALPLAYBACK - No recorded Events to Playback or JoumalRecord in Progress 

"); 

// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1 , nLineHeight * JOURNALPLAYBACKINDEX, 

// (LPSTR)szFiiterLine[JOURNALPLAYBACKINDEX], 

// strlen(szFilterLine[JOURNALPLAYBACKINDEX]), 0, NULL, 1); 

// ReleaseDC(hwndMain, hDC); 



-17- 



// save information to cheat file 

// fp_cheat= fopen("c:\\cheatfiie.txt", "a"); 

// fprintf(fp_cheat, "%s\n", szFilterLine[JOURNALPLAYBACKINDEX]); 
// fclose(fp_cheat); 

retum( (int)CallNextHookEx(hhookHooks[JOURNALPLAYBACKINDEX], nCode, wParam, IParam )); 

} 

if(lpPlayEvent = NULL) 
( 

IpPlayEvent = IpEventChain; 

IpLastEvent = NULL; // For the next time we start the recorder 

dwTimeAdjust = GetTickCountO - dwStartRecordTime; 
dwLastEventTime = (DWORD) GetTickCountQ; 
nRepeatRequests = 1 ; 

} 

if(nCode=-HC_SKIP) 

nRepeatRequests = 1 ; 

if ( ipPIayEvent->lpNextEvent NULL ) 
{ 



wsprintf((LPSTR)szFiIterLine[JOURNALPLAYBACKrNDEX], 

"WHJOURNALPLAYBACK -- Done Recorded Events"); 
// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, I, nLineHeight * JOURNALPLAYBACKINDEX, 

// (LPSTR)szFilterLine[JOURNALPLAYBACKrNDEX], 

// strien(szFilterLine[JOURNALPLAYBACKINDEX]), 0, NULL, 1); 

// ReieaseDC(hwndMain, hDC); 



// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

//fprintf(^_cheat, "%s\n", szFilterLine[JOURNALPLAYBACKINDEX]); 
//fciose(fp_cheat); 

free(ipEventChain); 
IpEventChain = IpPlayEvent = NULL ; 

InstaIlFilter(JOURNALPLAYBACKINDEX, FALSE); 
hMenu = GetMenu(hwndMain); 

CheckMenuItem(hMenu, IDMJOURNALPLAYBACK, MF^UNCHECKED | MF_,BYCOMMAND); 
EnableMenuItem(hMenu, IDMJOURNALPLAYBACK, MF_DISABLED | MF_GRAYED i MF_BYCOMMAND); 

} 

else 
{ 

dwLastEventTime - lpPIayEvent->Event,dme; 
IpPlayEvent = lpPlayEvent->ipNextEvent; 

free(ipEventChain); 
IpEventChain = IpPlayEvent; 

} 

} 

else if ( nCode = HC_GETNEXT) 
{ 

IpEvent^ (LPEVEKIMSG) IParam; 
lpEvent->message = !pPlayEvent->Eventmessage; 
IpEvent->paramL — lpPIayEvent->Event.paramL; 
IpEvent->paramH = lpPiayEvent->Event.paramH; 
ipEvent->time = IpPlayEvent->Event.time + dwTimeAdjust; 



wsprintf((LPSTR)szFiIterLine[JOURNALPLAYBACKINDEX], 

"WHJOURNALPLAYBACK - Playing Event %d times 
nRepeatRequests-H-); 
// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight * JOURNALPLAYBACKINDEX, 

// (LPSTR)szFilterLine[JOURNALPLAYBACKINDEX], 
// strlen(szFilterLine[JOURNALPLAYBACKINDEX]), 0, NULL, 1); 

// ReleaseDC(hwndMain, hDC); 
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// save information to cheat file 
//fp_cheat = fopen(V:\\cheatfile.txt", "a"); 

//fprintf(fp_cheat, "%s\n", szFilterLine[JOURNALPLAYBACKINDEX]); 
//fclose(fp_cheat); 

IRetumVaiue = !pEvent->time - GetTickCountQ; 

// 

// No Long ( negative ) wmts 

// 

if ( IRetumVaiue <0L) 
{ 

IRetumVaiue -OL; 
IpEvent->time = GetTickCount(); 

} 

return ( (DWORD) IRetumVaiue ); 

} 

// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1 , nLineHeight * JOURNALPL AYBACKINDEX, 
// (LPSTR)szFiIterLine[JOURNALPLAYBACKINDEX], 
// strlen(szFilterLine[JOURNALPLAYBACKINDEX]), 0, NULL, 1); 

// ReleaseDC(hwndMain, hDC); 
} 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

//fprintf(fp_,cheat, "JNLPLY %s\n", szFiIterLine[JOURNALPLAYBACKINDEX]); 
// fcl ose(fp_che at) ; 

return( CallNextHookEx(hhookHooks[JOURNALPLAYBACKINDEX], nCode, wParam, IParam)); 

} 

//. 

// JoumalRecordFunc 

// 

// Filter function for the WH JOURNALRECORD 

// 

II 

LRESULT CALLBACK JoumalRecordFunc (int nCode, WPARAM wParam, LPARAM IParam ) 

{ 

// HDC hDC; 
EventNode *lpEventNode; 
LPEVENTMSG IpEvent; 
HMENU hMenu; 

if(nCode >=0) { 

IpEvent = (LPEVENTMSG) IParam; 

// 

// Skip recording while playing back 
// This is not a limitation of the hooks. 

// This is only because of the simple event storage used in this example 

// 

if ( HookStates[JOURNALPLAYBACKINDEX] ) 
{ 

wsprintf((LPSTR)szFilterLine[JOURNALRECORDINDEX], 

"WH„JOURNALRECORD\tSkipping Recording during Playback 
// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight * JOURNALRECORDINDEX, 

// (LPSTR)szFiIterUne[JOURNALRECORDINDEX], 
// strlen(szFilterLine[JOURNALRECORDINDEX]), 0, NULL, 1); 

// ReleaseDC(hwndMain, hDC); 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfiIe.txt", "a"); 

//fprintf(^_cheat, "%s\n", szFiIterLine[JOURNALRECORDINDEX]); 
//fcIose(fp_cheat); 



return 0; 
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} 

// 

// Stop recording ? 

// 

if ( lpEvent->message = WM_KEYDOWN && LOBYTE(IpEvent->paramL) VK_F2 ) 
{ 

wsprintf((LPSTR)szFiiterLine[JOURNALRECORDINDEX], 

"WHJOURNALRECORD\tRecording Stopped with F2 

"); 

InstaIlFiiter(JOURNALREC0RDINDEX, FALSE); 
hMenu = GetMenu(hwndMain); 

CheckMenuItem(hMenu, IDMJOURNALRECORD, MF_UNCHECKED | MF_BYCOMMAND); 
EtiableMenuItem(hMenu, IDMJOURNALPLAYBACK, MF_ENABLED | MF_BYCOMMAND); 
return 0; 

} 

if ( (IpEventNode - (EventNode *)malloc(si2eof(EventNode))) = NULL ) 
. { 

wsprintf((LPSTR)szFiIterLine[JOURNALRECORDINDEX], 

"WH_JOURNALRECORD\tNo Memory Available"); 
InstallFilteraOURNALRECORDINDEX, FALSE); 
hMenu = GetMenu(hwndMain); 

CheckMenuItem(hMenu, IDMJOURNALRECORD, MF_UNCHECKED | MF_BYCOMMAND); 
EriableMenuItem(hMenu, IDMJOURNALPLAYBACK, MF_ENABLED | MF_BYCOMMAND); 

} 



if ( IpLastEvent = NULL ) 
{ 



} 

else 

{ 

} 



dwStartRecordTime = (DWORD) GetTickCountO; 
IpEventChain - IpEventNode; 



IpLastEvent->IpNextEvent = IpEventNode; 



IpLastEvent = IpEventNode; 
lpLastEvent->IpNextEvent = NULL; 

lpLastEvent->Event.message = lpEvent->message; 
IpLastEvent->Event.paraniL - IpEvent->paramL; 
IpLastEvent->Event.paramH = lpEvent->paramH; 
IpLastEvent->Event.time = IpEvent->time, 



wsprintf((LPSTR)szFiIterLine[JOURNALRECORDINDEX], 

"WH_JOURNALRECORD\tRecording\tTime:%d\tPRESS F2 To Stop Recording\t%s 
lpEvent->time,szMessageString(IpEvent->message)); 

// hoc = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight * JOURNALRECORDINDEX, 
// (LPSTR)szFiIterLine[JOURNALRECORDrNDEX], 
// strIen(szFilterLine[JOURNALRECORDINDEX]), 0, NULL, 1); 

// ReleaseDC(hwndMain, hDC); 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

//fprintf(fp_cheat, "JNLREC %s\n", szFiIterLine[JOURNALRECORDINDEX]); 
//fclose(^_cheat); 

return 0; 

} 

return (CaUNextHookEx(hhookHooks[JOURNALRECORDINDEX], nCode, wParam, IParam)); 

} 

// KeyboardFunc 
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// 

// Filter function for the WH_KEYBOARD 

// 

11 

LRESULT CALLBACK KeyboardFunc (int nCode, WPARAM wParam, LP ARAM IParam ) 
{ 

// HDC hDC; 

if ( nCode >= 0 ) 
{ 

if ( nCode == HC_NOREMOVE ) 

strcpy(szType, "NOT Removed from Queue"); 

else 

strcpy(s2Type, "REMOVED from Queue ") 

switch(wParam) 

{ 



// Who : Belsen Lin 

//Date : 9/1/00 9:38:42 AM 

// Reason : To disable Control-Break, Print-Screen and Shift key 

//Modify [Begin] 



case VK_SNAPSHOT : 
{ 

OpeuCIipboard(NULL); 

EmptyClipboardQ; 

CloseClipboardQ; 

} 

//Modify [End] 

case VK„CANCEL: 



// Who : Robin wei 

//Date : 00-9-21 18:09:38 

// Reason : Shift should not be disabled ,cause it will be used by shortcut key. 

#ifO// Delete [Begin] 

caseVK_SHlFT: 
#endif //Delete [End] 



case VK_F1: 
case VK_F2: 
case VK_F3: 
case VK_F4: 
case VK_F6: 
case VK_F8: 
case VK_F9: 
case VK_F10: 
case VKJll: 
case VK_F12 : 



// Who : Belsen Lin 

//Date : 9/1/00 9:39:45 AM 

//Reason : To disable Esc key 

//Modify [Begin] 

caseVK__ESCAPE: 

//Modify [End] 

case 93: return 1; 



case 'O': 

{ 

if (GetKeyState(17) & 0x8000) 
return 1; 

{ 

HWND hWnd; 

hWnd - GetForegroundWindowQ; 
if(hWnd) 
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9.0")=0) 



chartmpStr[80], 

GetCIassName(hWnd,tmpStr,80); 
if{stricmp(tmpStr,"bosa_sdm_Microsoft Word 
{ 

char buflSO]; 

GetWindowText(hWnd,buf,sizeof(biif)); 

CharUpper(buf); 
if(strstr(buf;'SPELLING")) 
{ 

if(GetKeyState(VK_MENU) & 0X8000 ) 
{ 

return 1; 

} 

} 

} 



case 'E': 
case 'F': 
case 'M': 



} 

break; 



if(GetKeyState(VK_SHIFT) & 0X8000 && GetKeyState(VK_MENU) & 0X8000 ) 
{ 

return 1; 

} 



case VK_SUBTRACT: 

if(GetKeyState(VK_MENU) & 0X8000 ) 
{ 

return 1; 

} 

break; 



// case WM__CHAR: 

// return 0; 



default : 

} 



break; 



} 

// 

// We looked at the message ... sort of processed it but since we are 
// looking we wil! pass all messages on to CallNextHookEx. 
// 

retum( CallNextHookEx(hhookHooks[KEYBOARDINDEX], nCode, wParam, IParam)); 

} 



//. 

// MouseFunc 
// 

// Filter function for the WH_MOUSE 

// 

// T. Regan4/1 1/99 Changed 225 to 244 

// and in case WM„LBUTTONDOWN: 

// from ((MouseHookParam->pt.x 1 1 8) && (MouseHookParam->pt.x 1 53) 

// to ((MouseHookParam->pt.x >= 1 50) && (MouseHookParam->pt.x <= 1 86) 

// and 

// from if ((MouseHookParam->pt.x >= 11 8) && (MouseHookParam->pt.x <= 1 53) 

// to if ((MouseHookParam->pt.x >= 1 50) && (MouseHookParam->pt.x <= 1 86) 

//T.Regan4/17/99 Cleanup. 
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// 

LRESULT CALLBACK MouseFunc (int nCode, WPARAM wParam, LPARAM IParam ) 
{ 

// HDC hDC; 

LPMOUSEHOOKSTRUCT MouseHookParam; 
// LPTSTR chBuf = (char*) maIloc(sizeof(char) * 255); 

intretVal= -I; 
// SYSTEMTIME systime; 



if(nCode>=0) { 
if ( nCode = HC_NOREMOVE ) 

strcpy(szType, "NOT Removed from Queue"); 

else 

strcpy(szType, "REMOVED from Queue "); 
MouseHookParam - (MOUSEHOOKSTRUCT *) IParam; 
if (bgotstarttime FALSE) 

bgotstarttime = TRUE; 

// if timefile exists, it's a restart, so use it's time as start time 
fpjime = fopen("c:\\tlmefile.txt", "r"); 

if(fpjime !=NULL) 
{ 

fscanf(fp_time, "%ld", &start); 
fclose(fp_time); 

} 

else 
{ 

time( &start ); 

// save start time to time file 

fpJime - fopen("c:\\timefile.txt", "w+"); 
fi)rintf(fpjime, "%id", start); 
fclose(fp_time); 

} 

} 

if ((MouseHookParam->pt.x >= 700) && (MouseHookParam->pt.y <= 50)) 
return 1; 



if ((MouseHookParam->pt.x >= 0) && (MouseHookParam->ptx <= 10) 

&& (MouseHookParam->pt.y >= 0) && (MouseHookParam->pt.y <= 50) 
) 

return 1; 



// prevent to float the menu bar. 
if ((MouseHookParam->ptx >= 200) //&& (MouseHookParam->pt.x <= 799) 

&& (MouseHookParam->pt.y >= 0) && (MouseHookParam->pt.y <== 50) 
) 

return 1; 



switch(wParam) 
{ 

case WM_RBUTTONDOWN: 

case WM_RBUTTONUP: 

case WM_NCRBUTTONDOWN: 

case WM_NCRBUTTONUP: 

case WM_SYSCOMMAND: 
/* wsprintf((LPSTR)szFilterLine[MOUSEINDEX], 

"MOUSE\t\tWnd:%d Point:%d %d\t%s %s",MouseHookParam->hwnd, 

MouseHookParam->pt.x,MouseHookParam->pt.y, 

szMessageString(wParam),(LPSTR)szType); 
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hDC - GetDC(hwndMain); 

TabbedTextOut(hDC, 1, nLineHeight * MOUSEINDEX, 

(LPSTR)szFiiterLme[MOUSEINDEX], strlen(szFilterLme[MOUSEINDEX]), 

0, NULL, 1 ); 
ReleaseDC(hwndMain, hDC);*/ 
return I ; 

case WM_LBUTTONDBLCLK: 
if(bEnableDBClick) 
{ 

break; 

} 

else 
{ 

return 1: 



case WM_LBUTTONDOWN: 
{ 



if (GetKeyState(VK_MENU) & 0x8000) 
return 1; 



// Who : Robin wei 
//Date : 00-8-22 17:27:32 
// Reason : Move this code to VBA 
#if0 //Delete 



SWP_NOSIZE); 



■ [Begin] 



wndHwnd = FindWindow(NULL, "Time"); 
SetWindowPos((HWND)wndHwnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE 



if ((wndHwnd !- 0) && 

((MouseHookParam->pt.x >= 150) && (MouseHookParam->pt.x <= 186) 
&& (MouseHookParam->pty >= 21) && (MouseHookParam->pt.y <= 40))) 
return 1; 



//else 



//tpr 
//tpr 
%d:%d:%d'V 
//tpr 
//tpr 



//PostMessage(wndHwnd,WM_CLOSE,0,0); 



%02d:%02d:%02d",cur_time,hrs, mins, sees); 
MB_TASKMODAL); 

} 



GetSystemTime(&systime); 

sprintf(curjime;'StartTime : %d:%d:%d\nCurrent Time : %d:%d:%d\nElapsed Time 

starttime.wHour,starttime.wMinute,starttime.wSecond, 
systime.wHour,systime.wMinute,systime.wSecond); 

if ((MouseHookParam->pt.x >= 150) && (MouseHookParam->pt.x <= 186) 
&& (MouseHookParam->pt.y >= 21) && (MouseHookParam->pt.y <- 40)) 

{ 

_strtime(cur_time); 
time( &fmish ); 

elapsed = (unsigned Iong)difftime( finish, start ); 

hrs = (unsigned Iong)elapsed / 3600; 
mins = (int)(elapsed - (hrs * 3600)) / 60; 
sees = (int)elapsed - (hrs * 3600) - (mins * 60); 
sprintf(timemsg, "Current time: %s\nEIapsed time: 



MessageBox( NULL,timemsg, "Time", MB_OK | MB^TOPMOST 1 
wndHwnd = FindWindow(NULL, "Time"); 
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#endif //Delete [End] 



} 

default: 

\vsprintf{(LPSTR)s2FiIterLine[M0USErNDEX], 
"MOUSE\t\tWnd:%d Point:%d %d\t%s %s",MouseHookParam->hwnd, 
MouseHookParam->ptXjMouseHookParam->pt.y, 
szMessageString(wParam),(LPSTR)szType); 
wsprintf((LPSTR)szFiIterLine[MOUSEINDEX], 

"MOUSE\t\tWnd:%d Pomt:%d %d\t%s %s",MouseHookParam->hwnd, 

MouseHookParam->pt.x,MouseHookParam->pty, 

szMessageString(wParam),(LPSTR)szType); 

// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight * MOUSEINDEX, 

// ' (LPSTR)szFUterLine[MOUSEINDEX], strlen(szFilterLine[MOUSEINDEX]), 

// 0,NULL, 1); 

// ReIeaseDC(hwndMam, hDC); 

break; 

} 

// save information to cheat file 
// fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

// fiDrintf(fp_cheat, "%s\n", szFilterLine[MOUSEINDEX]); 

// fclose(fp_cheat); 
} 

// 

// We looked at the message .„ sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx. 

// 

retum( CaHNextHookEx(hhookHooks[MOUSEINDEX], nCode, wParam, IParam)), 

} 

II 

// SysMsgFilterFunc 

// 

// Filter function for the WH_SYSMSGFILTER 

// 

// 

LRESULT CALLBACK SysMsgFilterFunc (int nCode, WPARAM wParam, LP ARAM IParam ) 
{ 

MSG *lpMsg; 
// HDC hDC; 

if(nCode >-0) 
{ 

if ( nCode = MSGF^DIALOGBOX ) 

strcpy(szType,"Dialog"); 

else 

strcpy(szType,"Menu"); 

switch(nCode) 
{ 

case MSGF_DIALOGBOX: 

strcat(szType, "_DiaIog"); 

break; 
case MSGF_MENU: 

strcat(szType, "_Menu"); 

break; 

case MSGF_NEXTWINDOW: 

strcat(szType, "_AltTab"); 
break; 

case MSGF„SCROLLBAR: 

strcat(szType, "_ScronBar"); 
break; 

} 
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IpMsg = (MSG *) IParam; 
wsprintf((LPSTR)szFilterUne[SYSMSGFILTERINDEX], 

"SYSMSGFILTER\t%s\tWnd-%d Time:%d Poinf%d %d %s 
(LPSTR)szType, lpMsg->hwn4 lpMsg->time, 
lpMsg->pt.x, IpMsg->pt.y, szMessageString(IpMsg->message)); 

// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight * SYSMSGFILTERINDEX, 

// (LPSTR)szFilterLine[SYSMSGFILTERINDEX], 

// strien(szFnterLine[SYSMSGFILTERINDEX]), 0, NULL, 1 ); 

// Re!easeDC(hwndMam, hDC); 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfiie.txt", "a"); 

//fi)rintf(fp_cheat, "SYSMSG %s\n", szFilterLine[SYSMSGFILTERINDEX]); 
//fclose(fp_cheat); 

} 

// 

// We looked at the message ... sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx, 

// 

retum( CaIlNextHookEx(hhookHooks[S YSMSGFILTERINDEX], nCode, wParam, IParam)); 

} 

//. „ 

// SysMsgFilterFunc 

// 

// Filter function for the WH^SYSMSGFILTER 

// 

LRESULT CALLBACK DebugFilterFunc (int nCode, WPARAM wParam, LPARAM IParam ) 

{ 

PDEBUGHOOKINFO pDebugHook; 
// HDC hDC; 
static int Called=0; 

if(nCode>=0) 
{ 

pDebugHook = (PDEBUGHOOKINFO) IParam; 
wsprintf((LPSTR)szFilterUne[DEBUGFILTERINDEX], 

"DEBUGFILTERUCalled %d Times 

-H-Called); 

// hDC = GetDC(hwndMain); 

// TabbedTextOut(hDC, 1, nLineHeight ♦ DEBUGFILTERINDEX, 

// (LPSTR)s2FilterLine[DEBUGFILTERINDEX], 
// strlen(szFiIterLine[DEBUGFILTERINDEX]), 0, NULL, 1 ); 

// ReleaseDC(hwndMain, hDC); 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

//fprintf(fp_cheat, "DBG%s\n", szFilterLine[DEBUGFILTERINDEX]); 
// fcl ose(fp_cheat) ; 

} 

// 

// We looked at the message ... sort of processed it but since we are 
// looking we will pass all messages on to CallNextHookEx, 

// 

return( CallNextHookEx(hhookHooks[SYSMSGFILTERINDEX], nCode, wParam, IParam)); 

} 

I! 

// SysMsgFilterFunc 

// 

// Filter function for the WH_SHELL 

// 

II 
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LRESULT CALLBACK Shell FilterFunc (int nCode, WPARAM wParam, LP ARAM IParam ) 
{ 

// HDChDC; 
static int Called=0, 

if(nCode >==0) 
{ 

switch ( nCode ) 
{ 

case HSHELL_ACTIVATESHELL WINDOW: 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_ACTIVATESHELL\\TNDOW" ); 

break; 

case HSHELL_GETMINRECT: 

// wParam is handle of window being maximized or minimized 
// IParam contains address of RECT that receives corrdi nates 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_GETMINRECT" ); 

break; 

"case HSHELL_LANGUAGE: 

// keyboard language was changed or new keyboard layout loaded 
wsprintf((LPSTR)szFiiterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_LANGUAGE" ); 

break; 

case HSHELL_REDRAW: 

// wParam contains handle of window in taskbar that has been redrawn 
wsprintf({LPSTR)szFiiterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_REDRAW" ); 

break; 

case HSHELL_TASKMAN: 

// user has selected task list 
// wParam is undefined and must be ignored 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_TASKMAN" ); 

break; 

case HSHELL_WINDOWACTIVATED: 

// wParam contains handle of activated top-level, unowned window 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_WINDOWACTIVATED" ); 

break; 

case HSHELL_WINDOWCREATED: 

// wParam is handle of top-level, unowned window created 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_WINDOWCREATED" ); 

break; 

case HSHELL^WINDOWDESTROYED: 

// wParam is handle of top-level, unowned window destroyed 
wsprintf((LPSTR)szFilterLine[SHELLFILTERINDEX], 

"WH_SHELL,HSHELL_WINDOWDESTROYED" ); 

break; 

// save information to cheat file 
//fp_cheat = fopen("c:\\cheatfile.txt", "a"); 

//fprintf(fp_cheat, "SHELL %s\n", szFilterLine[SHELLFILTERINDEX]); 

//fclose(fp_cheat); 

} 

} 
// 

// We looked at the message ... sort of processed it but since we are 
// looking we wili pass all messages on to CallNextHookEx. 
// 

return( CallNextHookEx(hhookHooks[SYSMSGFILTERINDEX], nCode, wParam, IParam)); 

} 



//- 

// MessageString 
// 
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// Function to load string from the STRINGTABLE 
// 

II 

char *szMessageString(int ID) 
{ 

static char szBuffer[256]; 

if ( LoadString(hInstance, ID, szBuffer, 255) = 0) 

strcpy(szBufferj "Unknown Message"); 

return (szBuffer); 

} 



// Who : Robin wei 

//Date : 00-8-24 17:13:24 

// Reason : Replace the ole one with the one from Admin Hooks32 

//Modify [Begin] 

#defme MsgBox(msg) ; 

BOOL CALLBACK CAPIDecryptFile(PCHAR szSource, PCHAR szDestination, PCHAR szPassword) 
{ 

FILE*hSource -NULL; 
FILE *hDestination = NULL; 
INTeof=0; 

inttest=0; 
HCRYPTPROV hProv =0; 
HCRYPTKEYhKey =0; 
HCRYPTHASHhHash =0; 



PBYTEpbKeyBlob = NULL; 
DWORD dwKeyBlobLen; 

PBYTE pbBuffer = NULL; 
DWORD dwBIockLen; 
DWORD dwBufferLen; 
DWORD dwCount; 

LPVOID IpMsgBuf; 

WORD PassLen; 

char szSavedPass[256]; 
BOOL status = FALSE; 



MsgBox(szSource); 
MsgBox(szDestination); 
// Open source file. 

if((hSource = fopen(szSource,"rb")) = NULL) { 

FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER 1 
FORMAT_MESSAGE„FROM_SYSTEM, 

NULL, 

GetLastErrorO, 



MAKELANGID(LANG_NEUTRAL, SUBLANG„DEFAULT), // Default language 

(LPTSTR) &lpMsgBuf, 

NULL );// Display the string, 

MsgBox(IpMsgBuf); 
LocaiFree(lpMsgBuf); 

goto done; 

} 

test = 0; 

MsgBox("Before create file"); 
// Open destination file. 

if((hDestination = fopen(szDestination,"wb")) NULL) { 

MsgBoxC'Error opening Plaintext file!\n"); 

goto done; 

} 

MsgBox("before Get Key create file"); 
test-0; 

// Get handle to the default provider, 

if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0)) { 
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// new code goes here 

// Fail if no keyset being create before . Try to create one 

if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET )) { 
char err[1024]; 

sprintf(err,"Error %x during CryptAcquireContext!\n", GetLastError()); 
MsgBox(err); 

goto done; 

} 

} 

test = 0; 

if(strcmpi(s2Password,"") ~ 0) { 

// Decrypt the file with the saved session key. 

// Read key blob length from source file and allocate memory, 
fread(&dwKeyBIobLen, sizeof(DWORD), 1, hSource); 
if(ferror(hSource) || feof(hSource)) { 

MsgBox(" Error reading file header! \n"); 
goto done; 

} 

if((pbKeyBlob = (unsigned char*)manoc(dwKeyBlobLen)) =-= NULL) { 
MsgBoxC'Out of memory or improperly formatted source file!\n"); 
goto done; 

} 

// Read key blob fi^om source file, 
fread(pbKeyBlob, 1, dwKeyBlobLen, hSource); 
if(ferror(hSource) || feof(hSource)) { 

MsgBox("Error reading file header!\n"); 

goto done; 

} 

// Import key blob into CSP. 

if(!CryptImportKey(hProv, pbKeyBIob, dwKeyBlobLen, 0, 0, &hKey)) { 
MsgBox("Error %x during CryptImportKey!\n", GetLastErrorQ); 
goto done; 

} 

} else { 

// Decrypt the file with a session key derived from a password. 
test = 0; 

// Create a hash object. 

if(lCryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) { 
MsgBoxC'Error %x during CryptCreateHash!\n", GetLastErrorQ); 
goto done; 

} 

test-0; 

// Hash in the password data. 

if(!CryptHashData(hHash»(unsigned char*) szPassword, strIen(szPasswordX 0)) { 
MsgBoxC'Error %x during CryptHashData!\n", GetLastErrorQ); 
goto done; 

} 

test ^ 0; 

// Derive a session key fix>m the hash object. 

if(ICryptDeriveKey(hProv, ENCRYPT_ALGORITHM, hHash, 0, &hKey)) { 
MsgBoxC'Error %x during CryptDeriveKey!\n", GetLastErrorQ); 
goto done; 

} 

test 0; 

// Destroy the hash object. 
CryptDestroyHash(hHash); 
hHash = 0; 
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// Determine number of bytes to decrypt at a time. This must be a multiple 
// of ENCRYPT_BLOCK_SIZE. 

dwBlockLen= 1000 - 1000 % ENCRYPT_BLOCK_SIZE; 
dwBufferLen = dwBlockLen; 

// Allocate memory. 

if((pbBuffer ~ (unsigned char *)malloc(dwBufferLen)) == NULL) { 
MsgBox("Out of memory !\n"); 
goto done; 

} 

memset(pbBuffer,'\0', 1000); 
test = 0; 

// 8/9/2000 
// Robin.Wei 

// Begin 

if(strcmpi(szPassword,"")) // User provide Password , we encrypte it first , 

// so that we can determind whether the 

Decrypted is right 
{ 

// Read up to 'dwBlockLen' bytes from source file. 
dwCount = fread(pbBuffer, 1, dwBlockLen, hSource); 
if(ferror(hSource)) { 
MsgBox("Error reading Ciphertext!\n"); 
goto done; 

} 

// Decrypt data 

if(!CryptDecrypt(hKey, 0, FALSE, 0, pbBuffer, &dwCount)) { 
MsgBoxC'Error %x during CryptDe crypt !\n", GetLastErrorQ); 
goto done; 

} 



PassLen = MAKEWORD(*pbBuffer,*(pbBuffer+l)); 
if(PassLen >= dwCount-2 || PassLen <=0) 
goto done; 

ZeroMemory{szSavedPass,sizeof(szSavedPass)); 

memcpy(szSavedPass,pbBuffer+2,PassLen); 
if(strcmpi(szPassword,szSavedPass)— 0) 
{ 

// Write data to destination file. 
fwrite(pbBuffer+2+PassLen, 1, dwCount-2 -PassLen, hDestination); 
if(ferror(hDestination)) { 

MsgBoxC'Error writing Plaintext!\n"); 
goto done; 

} 

}else 
{ 

goto done; 

} 

} 

// -End 

// Decrypt source file and write to destination file. 
do{ 

// Read up to 'dwBlockLen' bytes from source file. 
dwCount = fi:ead(pbBuffer, 1, dwBlockLen, hSource); 
if(ferror(hSource)) { 
MsgBoxC'Error reading Ciphertext!\n"); 
goto done; 

} 

test=0; 

eof = feof(hSource); 
// Decrypt data 
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if(!CryptDecrypt(hKey, 0, eof, 0, pbBuffer, &dwCount)) { 
MsgBox("Error%x during CryptDecrypt!\n", GetLastErrorO); 
goto done; 

} 

// Write data to destination file. 

f\vrite(pbBuffer, 1, dwCount, hDestination); 
if(ferror(hDestination)) { 
MsgBoxC'Error writing Plaintext!\n"); 
goto done; 

} 

test = 0; 
} while(!feof(hSource)); 

status = TRUE; 

printfC'OKVn"); 

done: 

// Close files. 

if(hSource) fc lose (h Source); 
if(hDestination) fclose(liDestination); 

// Free memory, 

if(pbKeyBlob) free(pbKeyBlob); 
if(pbBuffer) free(pbBuffer); 

// Destroy session key. 

if(hKey) CryptDestroyKey(hKey); 

// Destroy hash object. 
if(hHash) CryptDestroyHash(hHash); 

// Release provider handle. 

if(hProv) CryptReleaseContext(hProv, 0); 

retum(status); 
//Modify [End] 



// Who : Robin wei 

//Date : 00-8-24 17:12:49 

// Reason : This funtion seem not correct. Replace it with the one from Admin\Hook32 

#ifO// Delete [Begin] ^ ^ n^^^,, jy a\ 

BOOL CALLBACK CAPIDecryptFile(PCHAR szSource, PCHAR szDestmation, PCHAR szPassword) 

{ 

BOOL eof= FALSE; 
DWORD dwErrCode; 
HANDLE hSourceFile; 
HANDLE hTargetFile; 



HCRYPTPROVhProv -0; 
HCRYPTKEY hKey -0; 
HCRYPTKEY hXchgKey = 0; 
HCRYPTHASHhHash =0; 

PBYTE pbKeyBIob = NULL; 
DWORD dwKeyBIobLen; 

PBYTE pbBuffer - NULL; 
DWORD dwBlockLen; 
DWORD dwBufferLen; 
DWORD dwCount; 

DWORD dwBytesWritten; 

DWORD dwBytesRead; 
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BOOL bWriteRetVal = FALSE; 
BOOL status = FALSE; 

LPVOID IpMsgBuf; 
int test = 0; 

// Open source file, 

hSourceFile = CreateFiIe{szSource, 



dwErrCode = GetLastErrorO; 

if(hSourceFile= INVALID_HANDLE_VALUE) 

{ 

// new code goes here 

FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER i 
FORMAT MESSAGE_FROM_SYSTEM, 



MAKELANGID(LANG_NEUTRAL. SUBLANG_DEFAULT), // Default language 

ifclpMsgBuf, 0, NULL yj! Display the string. 

LocalFree(lpMsgBuf); 

return FALSE; 



GENERIC_READ, 
0, 

NULL, 

OPEN_EXISTING, 

FILE_ATTRIBUTE_NORMAL, 

NULL); 



NULL, 
dwErrCode, 



(LPTSTR) 



test-0; 

HTargetFile = CreateFile(szDestmation, 



dwErrCode = GetLastErrorQ; 



GENERIC_WRITE, 
0, 

NULL, 

CREATE_ALWAYS, 

FILE_ATTRIBUTE_NORMAL, 

NULL); 



if{hTargetFile = INVALID_HANDLE_VALUE) 
{ 

// new code goes here 

FormatMessage( FORMAT„MESSAGE_ALLOCATE_BUFFER 1 
FORMAT_MESSAGE„FROM_SYSTEM, 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

&lpMsgBuf, 0, NULL);// Display the string. 

LocalFree(lpMsgBuf); 
return FALSE; 

} 

test = 0; 

// Get handle to the default provider. 

if(tCryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0)) { 
printf("Error %x during CryptAcquireContext!\n", GetLastErrorO); 
return FALSE; 

} 

test = 0; 

ifi[strcmpi(szPassword,"") 0) { 

// Decrypt the file with the saved session key. 

// Read key blob length fi-om source file and allocate memory. 



NULL, 
dwErrCode, 



(LPTSTR) 
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BOOL bReadRetVal = ReadFile(hSourceFile, 



&dwK:eyBlobLen, 
sizeof(DWORD), 
&dwBytesRead, 
NULL); 



dwErrCode = GetLastErrorQ; 
ifi(!{bReadRetVal > 0)) 

{ 

FormatMessage( 
FORMAT_MESSAGE_FROM_SYSTEM, 



FORMAT_MESS AGE_ALLOCATE_BUFFER 1 



MAKELANGID(LANG_NEUTRAL, SUBLANG__DEFAULT), // Default language 



NULL, 
dwErrCode, 



(LPTSTR) 



&IpMsgBuf, 0, NULL );// Display the string. 

LocalFree(lpMsgBuf); 
return FALSE; 

} 



test = 0; 

if((pbKeyBiob - (unsigned char*)malloc{dwKeyBlobLen)) NULL) { 
printfC'Out of memory or improperly formatted source filel\n"); 
return FALSE; 

memset(pbKeyBlob,NUmdwKeyBIobLen); 
test = 0; 

// Read key blob from source file. 
bReadRetVal = ReadFile(hSourceFile, 



dwErrCode GetLastErrorO; 
if(!(bReadRetVal>0)) 

{ 

FormatMessage( 
FORMAT_MESSAGE_FROM_SYSTEM, 



pbKeyBiob, 
dwKeyBlobLen, 
fedwBytesRead, 
NULL); 



FORMAT_MESSAGE__ALL0CATE_BUFFER | 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

&lpMsgBuf, 0, NULL );// Display the string. 

LocaiFree(lpMsgBuf); 
return FALSE; 

} 

test = 0; 

// Import key blob into CSP. 

if(lCryptImportKey(hProv, pbKeyBIob, dwKeyBlobLen, 0, 0, &hKey)) { 
printf("Error %x during CryptImportKey!\n", GetLastErrorO); 
return FALSE; 



NULL, 
dwErrCode, 



(LPTSTR) 



} else { 



} 

// Decrypt the file with a session key derived from a password. 
// Create a hash object. 

if(!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) { 
printfC'Error %x during CryptCreateHash!\n", GetLastErrorO); 
return FALSE; 

) 

test = 0; 

// Hash in the password data 

if(!CryptHashData(hHash,(unsigned char*) szPassword, strlen(szPassword), 0)) { 
printfC'Error %x during CryptHashData!\n", GetLastErrorO); 
return FALSE; 

} 

test = 0; 

// Derive a session key from the hash object. 

if(!CryptDeriveKey(hProv, ENCRYPT„ALGORITHM, hHash, 0, &hKey)) { 
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printfC'Error %x during CryptDeriveKey!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Destroy the hash object. 
Cry ptDestroy Hash(hHash) ; 
hHash = 0; 



// Determine number of bytes to decrypt at a time. This must be a multiple 
// of ENCRYPT_BLOCK_SIZE. 

dwBlockLen = 1000 - 1000 % ENCRYPT_BLOCK_SIZE; 
dwBufferLen = dwBlockLen; 

// Allocate memory. 

if((pbBuffer = (unsigned char *)mal]oc(dwBufferLen)) = NULL) { 
printfC'Out of memory !\n"); 
return FALSE; 

} 

memset(pbBuffer,NULL,dwBufferLen); 
test - 0; 

// Decrypt source file and write to destination file. 
do{ 

// Read up to 'dwBlockLen' bytes from source file. 

BOOL bReadRetVal = ReadFile(hSourceFile, 

pbBuffer, 
dwBlockLen, 
&dwBytesRead, 
NULL); 

dwErrCode = GetLastErrorQ; 
if(!(bReadRetVai>0)) 

^ FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | 

FORMAT MESSAGE FROM SYSTEM, 

" ~ NULL, 

dwErrCode, 

MAKELANGID{LANG NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) 

&1pMsgBuf, 0, NULL );// Display the string. 

LocalFree(IpMsgBuf); 
return FALSE; 

} 

test = 0; 

if(dwBytesRead = 0) 
eof-TRUE; 

else 

eof- FALSE; 

// Decrypt data 

if(!CryptDecrypt(hKey, 0, eof, 0, pbBuffer, &dwBytesRead)) { 
printf("Error %x during CryptDecrypt!\n", GetLastErrorQ); 
return FALSE; 

} 

test=0; 
// Write data to destination file. 

bWriteRetVal = WriteFile( hTargetFile, 

pbBuffer, 
dwBytesRead, 
&dwBytesWritten, 
NULL); 

dwErrCode = GetLastErrorQ; 
if(!(bWriteRetVal>0)) 

^ FormatMessage( FORMAT^MESS AGE_ALLOCATE„BUFFER | 

FORMAT_MESS AGE_FROM_S YSTEM, 
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dwErrCode, 

MAKELANGID(LANG NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) 

&lpMsgBuf, 0, NULL );// Display the string. 

LocalFree(lpMsgBuf); 
return FALSE; 

} 

} while(!(dwBytesRead > 0)); 
test = 0; 
status = TRUE; 

//Close files- 

if(hSourceFi!e) CloseHandle(hSourceFile); 
if(hTargetFile) CloseHandle(hTargetFile); 

// Free memory. 

if(pbKeyBlob) free(pbKeyBlob); 
' if(pbBuffer) free(pbBuffer); 

// Destroy session key. 
if(hKey) CryptDestroyKey(hKey); 

// Destroy hash object. 

if(hHash) CryptDestroyHash(hHash); 

// Release provider handle. 

if(hProv) CryptReleaseContext(hProv, 0); 

retum(status); 

} 

#endif //Delete [End] 

BOOL CALLBACK C APIEncryptFiie(PCHAR szSource, PCHAR szDestination, PCHAR szPassword) 
{ 

BOOL eof= FALSE; 

DWORD dwErrCode; 
HANDLE hSourceFile; 
HANDLE hTargetFile; 

HCRYPTPROV hProv =0; 
HCRYPTKEYhKey =0; 
HCRYPTKEY hXchgKey - 0; 
HCRYPTHASHhHash -0; 

BOOLbRetVal; 
PBYTE pbKeyBlob - NULL; 
DWORD dwKeyBlobLen; 

PBYTE pbBuffer-NULL; 
DWORD dwBlockLen; 
DWORD dwBufferLen; 

DWORD dwBytesWritten; 

DWORD dwBytesRead; 

WORD PassLen ; 

BOOL bWriteRetVal = FALSE; 
BOOL status = FALSE; 

LPVOID IpMsgBuf; 
int test =0 ; 
// Open source file. 



hSourceFile = CreateFile(szSource, 



GENERIC_READ, 

0, 

NULL, 

OPEN_EXISTING, 

FILE_ATTRIBUTE_NORMAL, 

NULL); 
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dwErrCode ^ GetLastErrorQ; 

if(hSourceFile= INVALID_HANDLE_VALUE) 

{ 

// new code goes here 

FormatM€Ssage( FORMAT_MESSAGE_ALLOCATE_BUFFER | 
FORMAT_MESSAGE_FROM_SYSTEM, 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

NULL );// Display the string. 

LocalFree(lpMsgBuf); 
return FALSE; 

} 

test = 0; 

HTargetFile = CreateFile(szDestination, 



NULL, 
dwErrCode, 



(LPTSTR) &lpMsgBuf, 0, 



GENERIC_WRITE, 
0, 

NULL, 

CREATE_ALWAYS, 

FILE_ATTRIBUTE_NORMAL, 

NULL); 



dwErrCode = GetLastErrorQ; 



if(hTargetFUe INVALID_HANDLE_VALUE) 
{ 

// new code goes here 

FormatMessage( FORMAT_MESSAGE_ALLOCATE__BUFFER 

FORMAT_MESSAGE_FROM_SYSTEM, 



MAKELANGID{LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 
NULL );// Display the string. 



NULL, 
dwErrCode, 



(LPTSTR) &lpMsgBuf, 0, 



MsgBox(IpMsgBuf); 
LocalFree(lpMsgBuf); 
return FALSE; 



} 



test = 0; 

// Get handle to the default provider, 

if(lCryptAcquireContext(&hProv, NULL, NULL, PROV_RS A„FULL, 0)) { 
// new code goes here 

FormatMessage( FORMAT_MESSAGE„ALLOCATE_BUFFER 

FORMAT_MESSAGE_FROM_SYSTEM, 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 
NULL );// Display the string. 



NULL, 
GetLastErrorOj 



(LPTSTR) &lpMsgBuf, 0, 



MsgBox(lpMsgBuf); 
Loca!Free(lpMsgBuf); 
return FALSE; 



return FALSE; 



} 

test=0; 

if(strcmpi(szPassword,"") 0) { 

// Encrypt the file with a random session key. 
// Create a random session key, 

if(ICryptGenKey(hProv, ENCRYPT_ALGORITHM, CRYPT_EXPORTABLE, &hKey)) { 
MsgBox("Error %x during CryptGenKey!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Get handle to key exchange public key. 

if(!CryptGetUserKey(hProv, AT_KEYEXCHANGE, &hXchgKey)) ( 
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MsgBoxC'Error %x during CryptGetUserKey!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Determine size of the key blob and aliocate memory. 

if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, NULL, &dwKeyBlobLen)) 

^ MsgBoxC'Error %x computing blob length!\n", GetLastErrorQ); 

return FALSE; 

} 

test - 0; 

if((pbKeyBlob = {unsigned char*)malIoc(dwKeyBlobLen)) = NULL) 
{ 

MsgBoxC'Out of memory!\n"); 
return FALSE; 

} 

test = 0, 

// Export session key into a simple key blob. 

if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, pbKeyBiob, &dwKeyBlobLen)) 

MsgBoxC'Error %x during CryptExportKey!\n", GetLastErrorQ); 
return FALSE; 

} 

test-0; 

// Release key exchange key handle. 
CryptDestroyKey(hXchgKey); 
hXchgKey = 0; 

// Write size of key blob to destination file. 

bRetVal = WriteFile(hTargetFile,&dwKeyBlobLen,sizeof(DWORD),&dwBytesWritten,NULL); 

if(l(bRetVal>0)) 

{ 

MsgBoxfError write file"); 
return FALSE; 

} 

test = 0; 

// Write key blob to destination file. 

bWriteRetVal = WriteFile(hTargetFile,pbKeyBlob,d\vKeyBlobLen,&dwBytesWritten,NULL); 

if(!(bWriteRetVai>0)) 

{ 

MsgBoxC'Error Write File"); 
return FALSE; 

} 

} else { 

// Encrypt the file with a session key derived from a password. 
// Create a hash object. 

if(!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) { 
MsgBoxC'Enor %x during CryptCreateHash!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Hash in the password data. 

if(!CryptHashData(hHash, (unsigned char*)szPassword, strlen(szPassword), 0)) { 
MsgBox("Error %x during CryptHashData!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Derive a session key firom the hash object, 

if(!CryptDeriveKey(hProv, ENCRYPT_ALGORITHM, hHash, 0, &hKey)) { 
MsgBoxC'Error %x during CryptDeriveKey!\n", GetLastErrorQ); 
return FALSE; 

} 

test = 0; 

// Destroy the hash object. 
CryptDestroyHash(hHash); 
hHash = 0; 
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// Determine number of bytes to encrypt at a time. This must be a multiple 
// of ENCRYPT_BLOCK_SIZE. 

dwBlockLen = 1000 - 1000 % ENCRYPT_BLOCK„SIZE; 

// Determine the block size. If a block cipher is used this must have 
// room for an extra block. 
if(ENCRYPT_BLOCK_SIZE > 1) { 

dwBufferLen - dwBlockLen + ENCRYPT_BLOCK_SIZE; 

} else { 

dwBufferLen dwBlockLen; 

} 

// Allocate memory. 

if((pbBuffer - (unsigned char*)malloc{dwBufferLen)) = NULL) { 
MsgBoxC'Out of memory !\n"); 
return FALSE; 

} 

memset(pbBufTer,0,dwBufferLen); 
test = 0; 
// 8/9/2000 
// Robin.Wei 

// Begin 

if(strcmpi(szPassword,"")) // User provide Password , we encrypte it first , 

// so that we can determind whether the 

Decrypted is right 
{ 

PassLen = strlen(szPassword); 
pbBuffer[0]-LOBYTE( PassLen); 
pbBuffer[l]-HIBYTE(PassLen); 
strcpy(pbBuffeH-2,szPassword); 
dwBytesRead = 2+PassLen; 
//Encrypt data 

if([!CryptEncrypt(hKey, 0, FALSE, 0, pbBuffer, &dwBytesRead, dwBufferLen)) 
dwErrCode - GetLastErrorQ; 

FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER 1 
FORMAT_MESSAGE_FROM_SYSTEM, 



NULL, 
dwErrCode, 



MAKELANGID(LANG_NEUTRAL, SUBLANG^DEFAULT), // Default language 



(LPTSTR) 



felpMsgBuf, 0, NULL );// Display the string. 

MsgBox(lpMsgBuf); 
LocaIFree(lpMsgBuf); 
return FALSE; 
} 

test=0; 

// Write data to destination file. 
bWriteRetVal - WriteFile( hTargetFile, 



pbBuffer, 
dwBytesRead, 
fedwBytesWritten, 
NULL); 



dwErrCode = GetLastErrorO; 
if(!(bWriteRetVa!>0)) 

{ 

FormatMessage( 
FORMAT_MESSAGE_FROM_SYSTEM, 



FORMAT_MESSAGE_ALLOCATE_BUFFER 1 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

&lpMsgBuf, 0, NULL yjl Display the string. 

MsgBox(lpMsgBuf); 
LocalFree(lpMsgBuf); 
return FALSE; 



NULL, 
dwErrCode, 



(LPTSTR) 
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// End 

// Encrypt source file and write to Source file, 
do { 

// Read up to 'dwBlockLen' bytes from source file. 
BOOL bReadRetVal - ReadFile(hSourceFile, 



pbBuffer, 
dwBlockLen, 
&dwBytesRead, 
NULL); 



dwErrCode = GetLastErrorQ; 

if(!(bReadRetVal>0)) 

{ 

FormatMessage{ 
FORMAT MESSAGE_FROM_SYSTEM, 



FORMAT MESSAGE_ALLOCATE_BUFFER| 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 



&lpMsgBuf, 0, NULL );// Display the string. 

MsgBox(lpMsgBuf); 
LocalFree(lpMsgBuf); 
return FALSE; 

} 

test-0; 

if(dwBytesRead = 0) 



} 

else 



eof-TRUE; 
break; 



eof- FALSE; 



NULL, 
dwErrCode, 



(LPTSTR) 



// Encrypt data 

tf(iCryptEncrypt(hKey, 0, eof, 0, pbBuffer, &dwBytesRead, dwBufferLen)) 
dwErrCode = GetLastErrorQ; 

FormatMessage( FORMAT_MESS AGE_ALLOCATE_BUFFER i 
FORMAT_MESSAGE_FROM_SYSTEM, 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

&lpMsgBuf, 0, NULL );// Display the string. 

MsgBox(lpMsgBuf); 
LocalFree(lpMsgBuf); 
return FALSE; 
} 

test = 0; 

// Write data to destination file. 
bWriteRetVal = WriteFile( 



hTargetFile, 



dwErrCode = GetLastErrorO; 
if(!(bWriteRetVal>0)) 

FormatMessage( 
FORMAT MESSAGE FROM_SYSTEM, 



NULL, 
dwErrCode, 



(LPTSTR) 



pbBuffer, 
dwBytesRead, 
&dwBytesWritten, 
NULL); 



FORMAT_MESSAGE_ALLOCATE_BUFFER | 



NULL, 
dwErrCode, 



MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 
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(LPTSTR) 



&lpMsgBuf, 0, NULL );// Display the string. 

MsgBox(lpMsgBuf); 
LocalFree(lpMsgBuf) ; 
return FALSE; 

} 

} while(!(dwBytesRead 0)); 
test = 0; 
status = TRUE; 

//Close flies. 

if(hSourceFile) CloseHandle(hSourceFile); 
if(hTargetFile) CloseHandle(hTargetFile); 

//Free memory. 

if(pbKeyBlob) free(pbKeyBlob); 
if(pbBuffer) free(pbBuffer); 

// Destroy session key. 

if(hKey)' CryptDestroyKey(hKey); 

// Release key exchange key handle. 
if(hXchgKey) CryptDestroyKey(hXchgKey); 

// Destroy hash object. 

if(hHash) CryptDestroyHash(hHash); 

// Release provider handle. 

if(hProv) CryptReleaseContext(hProv, 0); 

retum(status); 



BOOL CALLBACK InitUserO 
{ 

HCRYPTPROV hProv; 
HCRYPTKEY hKey; 
CHAR szUserName[100]; 
DWORD dwUserNameLen = 100; 

// Attempt to acquire a handle to the default key container. 

if(!CiyptAcquireContext(&hProv, hOJLL, MS_DEF_PROV, PROV_RSA_FULL, 0)) { 

// Some """^^p"^^^^^^^ ^LL, MS„DEF„PROV, PROV_RS A_FULL, CRYPT_DELETEKEYSET); 

// Create default key container. 

if(!CryptAcquireContext(&hProv, NULL, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_NEWKEYSET)) { 
LPVOID IpMsgBuf; 
DWORD err = GetLastErrorQ; 

FormatMessage( 

FORMAT_MESSAGE_ALLOCATE_BUFFER | 

FORMAT_MESSAGE_FROM_SYSTEM 1 

FORMAT_MESSAGEJGNORE„INSERTS, 

NULL, 

err, 

MAKELANGID(LANG„NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) &lpMsgBuf, 

0, 

NULL 

); 

// Process any inserts in IpMsgBuf. 
//... 

// Display the string. .,.^^^tx 
MessageBox( NULL, (LPCTSTR)lpMsgBuf, "Error", MB_OK | MBJCONINFORMATION ); 
sprintf(lpMsgBuf,"Error Num: %x",err); 

MessageBox(NULL,(LPCTSTR)lpMsgBuf,"Error",MB_OK | MBJCONINFORMATION); 



// Free the buffer. 
LocalFree( IpMsgBuf); 
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exit(l); 

} 

// Get name of default key container. 

if(!CryptGetProvParam(hProv, PP_CONTAINER, szUserName, &dwUserNameLen, 0)) { 
// Error getting key container name. 
szUserName[0] = 0; 

} 

printfC'Create key container '%s'\n",szUserName); 

} 

// Attempt to get handle to signature key. 
if(lCryptGetUserKey(hProv, AT_SIGNATURE, &hKey)) 

^ if(GetLastErrorO = NTE_NO__KEY) 

{ 

// Create signature key pair. 
printf("Create signature key pair\n"); 

if(!CryptGenKey(hProv,AT_SIGNATURE,0,&hKey)) 

^ printfC'Error %x during CryptGenKey!\n", GetLastErrorQ); 

exit(l); 

} 

else { 

CryptDestroyKey(hKey); 

} 



} else { 
} 



printfC'Error %x during CryptGetUserKey!\n", GetLastErrorQ); 
exit(l); 



} 



// Attempt to get handle to exchange key. 
if(!CryptGetUserKey(hProv,AT_KEYEXCHANGE,&hKey)) 

^ if(GetLastError()==NTE_NO_KEY) 

^ // Create key exchange key pair. 

printfC'Create key exchange key pair\n"); 



} else { 
} 



if(!CryptGenKey(hProv,AT_KEYEXCHANGE,0,&hKey)) 

^ printfC'Error %x during CryptGenKey!\n", GetLastErrorQ); 

exit(l); 

} else 

CryptDestroyKey(hKey); 

} 

printfC'Error %x during CryptGetUserKey!\n", GetLastErrorO); 
exit(l); 



} 

CryptReleaseContext(hProv,0); 

printf("OK\n"); 

return 1; 
//exit(0); 

} 

#include "Tlhelp32.h" 

int CALLBACK CheckStart(void) 

{ 

int ret = -1; 

OSVERSIONINFO osver; 
HINSTANCE hInstLib; 
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HANDLE hSnapShot; 
PROCESSENTRY32 procentry; 
BOOL bFiag; 
BOOL bRetVal- FALSE; 
BOOL bIniVal = FALSE; 
UINT retval = 0; 
BOOL bProcFound- FALSE; 
int count; 

LPTSTR ValidProcs = NULL; 
HANDLE hNonValidProcs; 

// ToolHelp Function Pointers. 

HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD); 
BOOL (WINAPI *lpfProcess32First)(HANDLE,LPPROCESSENTRY32); 
BOOL (WINAPI *IpfProcess32Next)(HANDLE,LPPROCESSENTRY32); 



// Check to see if were running under Windows95 or Windows NT. 
osver.dwOSVersionlnfoSize = sizeof( osver); 
if( !GetVersionEx( &osver ) ) 
{ 

return ret; 

} 



//If Windows 95: 

if( osver.dwPlatformld VER_PLATFORM_WIN32_WINDOWS ) 
( 

hInstLib = LoadLibraiyA( "KemeI32.DLL" ); 
if(hlnstLib==NULL) 
return ret; 

// Get procedure addresses. 

// We are linking to these functions of Kemei32 explicitly, because 
// otherwise a module using this code would fail to load under Windows NT, 
// which does not have the Toolhelp32 fiinctions in the Kernel 32. 
IpfCreateTooIhelp32Snapshot= (HANDLE(WINAPI *)(DW0RD,DW0RO)) 

GetProcAddress( hInstLib, "CreateToolhelp32Snapshot" ); 
lpfProcess32First= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32First" ); 
IpfProcess32Next= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hlnstLib, "Process32Next" ); 

if( lpfProcess32Next NULL || lpflProcess32First NULL || 
lpfCreateToolheIp32Snapshot = NULL ) 

( 

FreeLibrary( hlnstLib ); 
return ret; 

} 

// Get a handle to a Toolhelp snapshot of the systems processes. 
hSnapShot = IpfCreateToolheip32Snapshot( TH32CS_SNAPPROCESS, 0 ); 

if( hSnapShot = INVALID__HANDLE_VALUE ) 
{ 

FreeLibrary( hlnstLib ); 

return ret; 

} 

// Get the first process' information. 

procentry.dwSize = sizeof(PROCESSENTRY32); 

bFlag - ipfProcess32First( hSnapShot, &procentry ); 

// While there are processes, keep looping, 

count=0; 

while(bF]ag) 

{ 

count ++; 

procentry.dwSize = s!zeof(PROCESSENTRY32); 
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bFiag lpfProcess32Next( hSnapShot, &procentry ); 

} 

ret = count; 

} 

// Free the library. 
FreeLtbrary( hInstLib ); 

return ret ; 

i 

int CALLBACK MyEnab!eDbClick(int value) 
\ 

bEnabIeDBC!ick = value; 
return bEnableDBClick>0 ? 1:0; 

) 



int CALLBACK BeginThread 0 
{ 

DWORD ThreadID; 
OSVERSIONTNFO osver; 
osver.dwOSVersionlnfoSize = sizeof( osver ); 
if( !GetVersionEx( &osver ) ) 
{ 

return 0; 

} 

if( osver.dwPlatformld < VER_PLATFORM_WIN32_NT ) 
{ 

return 0; 

} 

bStart=TRUE; 

hThread=CreateThread(NULL,0,ThreadProc,0,0,&ThreadID); 
return 0; 

} 

DWORD WINAPI ThreadProc(LPVOID IpParameter) 
{ 

while(bStart) 
{ 

EnumWmdows(EnumWindowsProc,0); 
S!eep{500); 

} 

return 0; 

} 



BOOL CALLBACK EnuniWindowsProc(HWND hwnd,LPARAM IParam) 
{ 

RemoveWindow(hwnd); 
return TRUE; 

} 

int CALLBACK EndThreadO 

{ 

if(hThread !-NULL) 
{ 

bStartr=FALSE; 

WaitForSingIeObject(hThread,5000); 

} 

return 0; 

} 

BOOL RemoveWindow(HWND hWnd) 
{ 
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HMODULE hMod; 
DWORD ret; 

DWORD ProcessID,ThreadID; 
HANDLE hProcess = NULL; 
char szFileNaine[ 255 ]; 
HINSTANCE hInstLtb; 



BOOL (WINAPI *lpfEni]mProcessModules)( HANDLE, HMODULE *, DWORD, LPDWORD ); 
DWORD (WINAPI *lpfGetModuleFiieNameEx)( HANDLE, HMODULE, LPTSTR, DWORD ); 

#ifdef_DEBUG 

fp_cheat= fopen("c:\\cheatfile.txt", "a"); 
#endif 

// Load library and get the procedures explicitly. We do 
// this so that we don't have to worry about modules using 
// this code failing to load under Windows 95, because 
// it can't resolve references to the PSAPLDLL. 
hInstLib = LoadLibraryA( "PSAPLDLL" ); 
if(hInstLib==NULL) 
return FALSE; 

#ifdef_DEBUG 

fprintf(fp_cheat, "CBT %s\n", "Load PSAPLDLL OK"); 
#endif 

// Get procedure addresses. 

IpfEnumProcessModules = (BOOL(WIN.\PI *)(HANDLE, HMODULE *, DWORD, LPDWORD)) 

GetProcAddress( hInstLib, "EnumProcessModules" ); 
IpfGetModuIeFileNameEx =(E>WORD (WTNAPI *)(HANDLE, HMODULE, LPTSTR, DWORD )) 

GetProcAddress( hInstLib, "GetModuIeFiieNameExA" ); 



ZeroMemory(s>zFiIeName,sizeof(szFileName)); 

ThreadlD = GetWindowThreadProcessId(hWnd,&ProcessID); 

hProcess = OpenProcess( PROCESS_QLTERY_INFORMATION | PR0CESS_VM__READ, 
FALSE. ProccssID ); 

#ifdef_DEBUG 

fprintf(fp_cheat, "CBT %s\n\ "OPEN PROCESS"); 
#endtf 

if( hProcess !=NULL) 
{ 

#ifdef_DEBUG 

fprintf(fp_cheat, "CBT %s\n", "OPEN PROCESS OK"); 

#endif 

// Here we call EnumProcessModules to get only the 

// first module in the process this is important, 

// because this will be the .EXE module for which we 

// will retrieve the full path name in a second. 

if( ipfEnumProcessModules( hProcess, &hMod, si2eof( hMod ), &ret) ) 

{ 

#ifdef_DEBUG 

fprintf(fp_cheat, "CBT %s\n", "GET MODULE OK"); 

#endif 

// Get Full pathname: 

if( !lpfGetModuleFileNameEx( hProcess, hMod, szFileName, sizeof( szFileName ) ) ) 
{ 

#ifdef_DEBUG 

fprintf(lp_cheat, "CBT %s\n\ "GET MODULE NAME FAILER"); 

#endif 

szFil€Name[0] = -l; 

} 

} 

CloseHandle( hProcess ); 

} 

FreeLibrary( hInstLib ); 
if(*szFileName 1=-1) 
{ 
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#ifdef DEBUG 



#endif 



// 
// 
// 
// 



// 
// 
// 
// 



#ifdef DEBUG 



fprintf(fp_cheat, "CBT %s\n", "GET MODULE NAME OK"); 
fprintf(fi)_cheat, "CBT %s\n", szFileName); 

strupr(szFileName); 

if(strstr(szFileName/'WrNWORD.EXE") |i 

strstr(szFileName,"SSl_STUDENT.EXE") || 
strstr(szFileName,"SSI_TEMP.DAT") H 
strstr(szFileName;'EXPLORER.EXE") || 
strstr(szFUeName,"IEXPLORE.EXE") || 
strstr(szFiIeName,"KERNEL32.DLL") || 
strstr(szFileName,"MSGSRV32.EXE") 1| 
strstr(szFileName,"MPREXE.EXE") li 
strstr(szFileName,"MSTASK.EXE") !| 
strstr(szFUeName,"RUNONCE.EXE") |1 
strstr(szFiieName,"RPCSS.EXE") || 
strstr(szFneName,"SPOOLSV.EXE") |1 
strstr(szFileName;'SSLTIMER.DLL")|| 
stfStr(szFileName,"WINLOGON,EXE")) 
strstr(szFUeName,"CSRSS-EXE") || 
strstr(szFiieName;'WINMGMT.EXE") i| 
strstr(szFileName;'MSDEVXXE") || 
strstr(szFileName,"HOOKS32.EXE")) 

{ 



#endif 



fprmtf(fp_cheat, "CBT %s\n", "RETURN TRUE"); 
fcIose(fp_cheat); 

if{strstr(szFileName,"EXPLORER.EXE")) 
{ 

chartmpStr[80]; 

GetClassName(hWnd,tmpStr,80); 



#ifdef DEBUG 



#endif 



if(stricmp(tmpStr,"CabinetWClass")=0 1| 
str!cmp(tmpStr,"IEFrame")=0!j 
stricmp(tmpStr,"#32770")=-0 || 
stricmp(tmpStr,"ExploreWCIass")=0) 



{ 



fprintf(^_cheat, "CBT EXPLORER 222: %s\n", tmpStr); 
fclose(fp_cheat); 

ifi(GetWindowLong(hWnd,GWL_STYLE) & WS_VIS1BLE) 
{ 

PostMessage(hWnd,WM_CLOSE,0,0); 

} 

return TRUE; 



} 

else 
{ 



} 

return TRUE; 



char tmpStr[80]; 

GetClassName(hWnd,tinpStr,80); 
if(stricmp(tmpStr,"SheIl_TrayWnd")==Ojl 
stricmp(tmpStr,"progman")— 0) 

{ 

return TRUE; 



#ifdef DEBUG 



#endif 



fprmtf(fp_cheat, "CBT kkkkkkkkkkkkkkkk : %s\n", tmpStr); 
fprintf(fp_cheat, "CBT %s\n", "CHECK VISIBLE"); 

if(GetWmdowLong(hWnd,GWL_STYLE) & WS_VISIBLE) 
{ 
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#ifdef DEBUG 



#endif 



PostMessage(hWnd,WM_CLOSE,0,0); 
fprintf(fp_cheat, "CBT %s\n", "Killed"); 
fclose(fp_cheat); 
return TRUE; 



} 

return TRUE; 

Lt CALLBACK CheckUserSid(LPSTR outDomainName^LPSTR outUserName) 
{ 

PSID oldSid; 
HANDLE TokenHandle; 
DWORD RetumLength; 
TOKEN_USER *tokenUser; 
LONG IRetErrorCode; 
HKEY NewKey = NULL; 
BYTE * IpBuf; 
LONG length; 
LPVOID IpMsgBuf; 
OSVERSIONINFO osver; 
char UserName[30]; 
char DomainName[30]; 
DWORD size; 
DWORD psize; 

*outDomainName = 0; 
*outUserName==0; 



osver.dwOSVersionlnfoSize = sizeof( osver ); 

if( !GetVersionEx( &osver ) ) 

{ 

return 0; 

if{ osver.dwPiatformld < VER_PLATFORM_WIN32_NT ) 

{ 

TCHARttt[255]; 

LONGcbTTT-255; 

GetUserName(ttt,&cbTTT); 

size=30; 

psize=30; 

lRetErrorCode-RegOpenKey( HKEY_LOCAL_MACHINE, 
"SoftwareWMicrosoftWWindowsWCurrentVersionWWinlogon", 

&NewKey); 

RegQueryValueEx(NewKey;'SavedUserName",0,NULL,(unsigned char *)UserName,&size); 
strcpy(out0omainName,""); 
strcpy(outUserName,UserName); 
RegCloseKey(NewKey); 
if(strcmp{UserName,ttt)=0) 
return 1; 

else 

return 0; 

} 

if(»OpenProcessToken( OpenProcess(PROCESS„ALL„ACCESS,FALSE,GetCurrentProcessIdO), // handle to process 

TOKEN_ALL_ACCESS, // desired access to process 
&TokenHandie // handle to open access token 
» 

^ LPVOID IpMsgBuf; 

FormatMessage( 

FORMAT_MESS AGE_ALLOCATE_BUFFER | 

FORMAT_MESSAGE_FROM_SYSTEM | 
FORMAT_MESSAGE_IGNORE_INSERTS, 
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NULL, 

GetLastErrorQ, 

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) &lpMsgBuf, 

0, 

NULL 

); 

MessageBox( NULL, (LPCTSTR)lpMsgBuf, "Error", MB_OK j MBJCONINFORMATION ); 
// Free the buffer. 
LocalFree{ IpMsgBuf ); 



} 

GetTokenInformation( TokenHandie, 



tokenUser = malloc(RetumLength); 

if(! GetTokenInformation( TokenHandie, 



// handle to access token 
TokenUser, // token type 
NULL, // buffer 

0, //size of buffer 

&ReturnLength 

); 



// required buffer size 



// handle to access token 
TokenUser, // token type 



tokenUser, 

RetumLength, 

&RetumLength 

)) 



//buffer 

// size of buffer 

// required buffer size 



LPVOID IpMsgBuf; 
FormatMessage( 

FORMAT_MESSAGE_ALLOCATE_BUFFER | 

FORMAT_MESSAGE_FROM_SYSTEM | 

FORMAT_MESSAGE_IGNORE_INSERTS, 

NULL, 

GetLastErrorQ, 

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT). // Default language 

(LPTSTR) &lpMsgBuf, 

0, 

NULL 

); 

MessageBox( NULL, (LPCTSTR)IpMsgBuf, "Error", MB_OK | MBJCONINFORMATION ); 
// Free the buffer. 
LocalFree( IpMsgBuf); 



if(!IsVaUdSid(tokenUser->User.Sid)) 



{ 



MessageBox(NULL;'InValid Sid",NULL,MB_OK); 

free(tokenUser); 

return 0; 



lRetErrorCode-RegOpenKey( HKEY_LOCAL_MACHINE, 
"SoftwareWMicrosoftWWindowsWCurrentVersionWSID", 



&NewKey); 



if(IRetErrorCode==ERROR_SUCCESS) 
{ 

length-0; 

IRetErrorCode = RegQueryVa!ueEx(NewKey,"OriginalSID",NULL,NULL,NULL,(unsigned long *)&length); 

IpBufNiialloc(length); ^ . ^ , *m t> r/ • a 

IRetErrorCode = RegQueryValueEx(NewKey,"OriginalSID",NULL,NULL,(unsigned char *)IpBuf,(unsigned 



)&length); 
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if(lRetErrorCode=ERROR_SUCCESS) 

{ 

oldSid = (PSID)lpBuf; 



) 

else 
{ 



} 



free(tokenUser); 
free(lpBuf); 
return 0; 



if(!IsVaIidSid(o!dSid)) 

^ MessageBox(NULL;'InValid Sid",NULL,MB_OK); 

free(tokenUser); 
free(lpBuf); 
return 0; 

} 

if(EqualSid(tokenUser->User.Sid,oldSid)) 
{ 

RegCloseKey(NewKey); 
free(tokenUser); 
free(lpBuf); 
return 1; 

} 

else 
{ 

RegCloseKey(NewKey); 

size=30; 

psize=30; 

iRetErrorCode=RegOpenKey( HKEY_LOCAL_MACHINE, 

"SoftwareWMicrosoftWWindows 

M'HXCurrentVersionWWinlogon", 

&NewKey); 

RegQueryValueEx(NewKey,"SavedDomainName",0,NULL,(unsigned char 

*)DomamName,&psize); ^ . , , *xtt vt p • \ 

RegQueryValueEx(NewKey,"SavedUserName",0,NULL,(unsigned char *)UserName,&size), 

strcpy(outDomainName,DomamName); 
strcpy (outUserName,UserName) ; 

RegCloseKey(NewKey); 
freeCtokenUser); 
freeOpBuf); 
return 0; 

} 

} 

else 

{ 

free(tokenUser); 
return 0; 

} 

RegCIoseKey(NewKey); 
return 0; 



int CALLBACK SaveUserSidO 
{ 

LONG IRetErrorCode; 
HKEY NewKey - NULL; 
HANDLE TokenHandle; 
DWORD RetumLength; 
TOKEN_USER *tokenUser; 
char UserNamepO]; 
char DomainName[30]; 
DWORD size; 
DWORD psize; 



-48- 



SID_NAME_USE * Use; 

HANDLE TTTL; 
OSVERSIONINFO osver; 
osver.dwOSVersionlnfoSize ^ sizeof( osver ); 

if( !GetVersionEx{ &osver ) ) 
( 

return 0; 

if( osver.dwPIatformId < VER_PLATFORM_WIN32_NT ) 
{ 

TCHARm[255]; 
LONG cbTTT=255; 
GetUserName(ttt,&cbTTr); 

lRetErrorCode=RegOpenKey( HKEY_LOCAL_MACHINE, 
"SoftwareWMicrosoftWWindowsWCurrentVersionWWinlogon", 

&NewKey); 

if (lRetErrorCode=ERROR_SUCCESS) 
{ 

RegSetVa!ueEx( NewKey, 

"SavedUserName", 
0, 

REG_SZ, 
ttt, 

cbTTT 

); 

} 

RegCloseKey(NewKey); 
RegFlushKey(HKEY_LOCAL_MACHINE); 

return 1; 

}else 
{ 



TTTL = OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentFrocessId()); 

if(!OpenProcessToken( TTTL, // handle to process 

TOKEN_ALL_ACCESS, // desired access to process 
&TokenHandle // handle to open access token 
)) 

{ 

LPVOID IpMsgBuf; 
FormatMess^e( 

FORMAT_MESSAGE__ALLOCATE_BUFFER 1 

FORMAT_MESSAGE_FROM„SYSTEM { 

FORMAT_MESSAGEJGNORE_INSERTS, 

NULL, 

GetLastErrorO, 

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) &lpMsgBuf, 

0, 

NULL 

); 

MessageBox( NULL, (LPCTSTR)lpMsgBuf, "Error", MB_OK | MBJCONINFORMATION ); 
// Free the buffer. 
LocalFree( IpMsgBuf); 

} 

GetTokenInformation( TokenHandle, // handle to access token 

TokenUser, // token type 
NULL, // buffer 

0, //size of buffer 

&RetumLength // required buffer size 
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); 

tokenUser = maltoc(RetumLength); 

if(!GetTokenInformation( TokenHandle, // handle to access token 

TokenUser, // token type 
tokenUser, // buffer 

RetumLength, // size of buffer 

&RetumLength // required buffer size 

)) 

{ 

LPVOID IpMsgBuf; 
FormatMessage( 

FORMAT_MESS AGE_ALLOCATE_BUFFER i 

FORMAT_MESSAGE_FROM_SYSTEM | 

F0RMAT__MESSAGEJGNORE_rNSERTS, 

NULL, 

GetLastErrorO, 

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 

(LPTSTR) &lpMsgBuf, 

0, 

NULL 

); 

MessageBox(NULL, (LPCTSTR)lpMsgBuf, "Error", MB_OK | MBJCONINFORMATION ); 
// Free the buffer. 
LocaIFree( IpMsgBuf); 



if(!IsVaIidSid(tokenUser->User,Sid)) 

^ MessageBox(NULL;'InValid Sid",NULL,MB_OK)- 

free(tokenUser); 
return 0; 

} 

iRetErrorCode = RegCreateKey(HKEY_LOCAL_MACHINE, 
"SoftwareWMicrosoftWWindowsWCunentVersionWSID", 

if (lRetErrorCode'-ERROR_SUCCESS) 
{ 

free(tokenUser); 
return 0; 

} 

IRetErrorCode = RegSetVaIueEx( NewKey, 
"OriginalSID", 

REG.BINARY, 
char *)(tokenUser->User.Sid), 

GetLengthSid(tokenUser->User,Sid) 



&NewKey); 



(unsigned 



size=30; 

GetUserName(UserName,&size); 
psize=30; 

Use=malloc(stzeof(SID_NAME_USE)); 

LookupAccountSid(NULL, // name of local or remote computer 

tokenUser->User.Sid, // security identifier 

UserName, // account name buffer 
&size, // size of account name buffer 
DomainName, // domain name 



-50- 



&psize, // size of domain name buffer 
Use //SID type 

); 

free(Use); 

RegCloseKey(NewKey); 

lRetErrorCode=RegOpenKey( HKEY_LOCAL_MACHINE, 

"SoftwareWMicrosoflWWindows 



NTWCurrentVersionWWinlogon", 

if (lRetEaorCode=-=ERROR_SUCCESS) 

f 

RegSetValueEx( NewKey, 



RegSetValueEx( NewKey, 



&NewKey); 



"SavedDomainName", 
0, 

REG_SZ, 

DomainName, 

psize 



"SavedUserName", 
0, 

REG_SZ, 

UserName, 

size 



} 



free(tok:enUser); 

RegCloseKey(NewKey); 

RegFIushKey(HKEY_LOCAL_MACHINE); 

return 1; 



int CALLBACK LogoffCurrentUserQ 



HKEY RetHandle = NULL; 
HKEY NewKey - NULL; 
LONG IRetErrorCode; 
OSVERSIONTNFO osver; 
osver.dwOSVersionlnfoSize = sizeof( osver ); 

if( !GetVersionEx( &osver ) ) 
{ 

return 0; 

if( osver.dwPlatformld < VER_PLATFORM_WIN32_NT ) 
{ 

TerminateExplorerO; 
TerminateExplorerQ; 

IRetErrorCode = RegOpenKey( HKEY_LOCAL_MACHINE, 



"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" 



// Who : Robin wei 
//Date : 02-9-25 12:58:33 
// Reason : If not exists , create one 
// Modify [Begin] 



&RetHandle); 



if(lRetErrorCode != ERROR_SUCCESS) 
^ IRetErrorCode = RegCreateKey( HKEY_LOCAL_MACHINE, 

"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 
&RetHandle); 
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// Modify [End] 

if(lRetErrorCode = ERROR_SUCCESS) 
{ 



IRetErrorCode = RegSetValueEx( RetHandle, 



"SSLRESTART", 



char*)"C:\\program filesWsecurexam studentWss i_student.exe". 



0, 

REG_SZ, 
(unsigned 

54 



if(lRetErrorCode != ERROR_SUCCESS) 
{ 

} 



return ; 



} 



RegCloseKey(RetHandle); 
RegFlushKey(HKEY_LOCAL_MACHINE); 



if( osver.dwPlatformId >- VER_PLATFORM_WIN32_NT ) 

^ IRetErrorCode = RegOpenKey( HK£Y_LOCAL_MACHINE, 

"SoftwareWMicrosoflWWindowsWCurrentVersionWRunOnce", 



&RetHandle); 



// Who : Robin wei 

//Date : 02-9-25 12:58:33 

// Reason : If not exists , create one 

//Modify [Begin] 

if(lRetErrorCode ERROR_SUCCESS) 

^ IRetErrorCode - RegCreateKey( HKEY^LOC AL_MACHINE, 

"SoftwareWMicrosoftWWindowsWCurrentVersionWRunOnce", 
&RetHandte); 

} 



//Modify- 



[End] 



if(lRetErrorCode ERROR_SUCCESS) 
{ 



IRetErrorCode = RegSetValueEx( RetHandle, 



"SSI RESTART2", 



char*)"C:\\program filesWsecurexam student\\ssi_student.exe" 



0, 

REG_SZ, 
(unsigned 

54 



if(lRetErrorCode N ERROR_SUCCESS) 
( 

return ; 



RegCloseKey(RetHandle); 
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Sleep(500); 

ExitWindowsEx(EWX_LOGOFF 1 EWX_FORCE ,0); 
Sleep(lOOO); 

// if( osver.dwPIatfonnld < VER_PLATFORM_WIN32_NT ) 

{ 

exit(-l); 

} 



/^Generate a pass 

Based on HW_PROFILE_INFO and Studentid 
in Parameteninstr:: Studentid 

callseq;l/2 1st call/2nd call 

out Para: rtstr. pass 

retum:0/l/2:OK/No Student id/GetCurrentHwProfile error 

note: the 8th :Check byte 

*/ 

int CALLBACK fnGetPrivateInfo(LPSTR inStr,LPSTR rtStr,int CallSeq) 
^ typedef struct HW_PROFILE_INFO { 

DWORD dwDocklnfo; 

CHAR s2HwProfileGuid[HW_PROFILE_GUIDLEN]; 
CHAR szHwProfileName[MAX_PROFILE_LEN]; 
} HW„PROFILE_INFOW, *LPHW_PROFILE_INFOW; 

HW_PROFILE_,INFO HwProflnfo; 
LONG lHw=0;LONG slHw^O; 

LONG lSid=0;LONG slSid=0; 

LONG IHwTMSid=0;LONG iHwDVSid=0; 

LONG lTmpl=0,lTmp2=0,!Tmp3=0; 

LONG lStarttime-0; 

LONG Result; 



char Tmpstrl [MAXLTH]; char Tmpstr2[MAXLTH]; 
charMMA[16]; 
int i=O,lenHw=0,lenSid=0; 
char * CstStrn={"2Fes4r^$6fuDUY'^&sa", "5&ihiy*IhDTe5*hIuO\ 

"cdshijocdsoij(&obp", 

char * CstNamen={"^bi9n00*H098000i", "fnsou)(&H fWYUytSg", 

iu9*)jFw3", 
if((stringlen(inStr)<l)&&{CallSeq!-2))retum 1 ; 

if(95=GetWinVerO) 
{ //MessageBox(0/is95",MB_OK,0); 
if(CaUSeq=l) //1st called 
{ 

lStarttime<jetTickCountO; 
Result==SaveTickReg(lStarttime); 

/rif0^esult=0)MessageBox(0/'SaveReg_NG",MB_OK,0); 

} 

else //2nd called 

{lStarttime=ReadTickRegO; 
//if(lStarttime-=0)MessageBox(0;ReadReg_NG",MB_OK,0); 

} 

ltoa(lStarttime,TmpstrL10); //convert tick->string 

} 

else //win 2000 

{ //MessageBox(0;'is 2000",MB_OK,0); 

if (!GetCurrentHwProfile(&HwProfInfo)) return 2; 
strcpy{Tmpstri,HwProfInfo.szHwProfileGuid); 



"^*HKJ09UoJoMlK0", 
"Y*biY(*7ds90J_0Ik99"}; 
"BKy98yNNIJ;pvdv", "VJdsdsgVt 
" J779u(iOk,xpoi-sdd"}; 
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} 

strcpy(Tmpstr2,mStr); 

lHw=AddAIlAsc(Tmpstrl);MMAP]-long2char(lHw); 
lSid-AadAIIAsc(Tmpstr2);MMA[4]=long2char(lSid); 
if(lHw>I000)slHw=lHw%1000; else slHw-lHw; 
if(lSid>1000)slSid=lSid%1000 ;else slSid=lSid; 
lHwTMSid-sIHw*slSid;MMA[6]=long2char(lHwTMSid); 
lHwDVSid=slHw%slSid;MMA[7]=long2char(lHwDVSid); 
//Tmpstrl is HwProflnfo.szHwProfileGuid 
//Tmpstr2 is Student id 

if{stringlen(inStr)<5)strcat(Tmpstr2,CstName[lHw%5]); 

ITmpl- Tmpstrl[5]+Tmpstr2[l]+Tmpstr2[2];MMA[0]=long2char(lTmp 1); 
lTmpl=Tmpstrl[l]+Tmpstr2[l]+Tmpstr2[3];MMA[lHong2char(ITmpl); 
ITmpl=Tmpstrl[2]+Tmpstr2[4]+Tmpstr2[2];MMA[3Hong2char(lTmpl); 
lTmpl-Tmpstrl[l]+Tmpstr2[3]+Tmpstr2[4];MMA[5]=long2char(lTmpl); 



lTmpl=CstStr[iHw%5][2]+CstStr[lHw%5][8]+CstStr[lSid%5][12]:N{\L4[9]^ong2char(lTmpl) 

lTmpl-CstStr[ISid%5][3]+Tmpstr2[3]+CstStr[lHw%5][3];miA[10Hong2char(lTmpl); 
ITmpl=CstStr[ISid%5][9]+CstStr[lSid%5][12]+CstStr[lHw%5][7];^ 

lTmpl=CstStr[ISid%5][IHw%10]+CstStr[ISid%5][7]+CstStr[lHw%5][6];MMA[12]=!ong2char(lT 
lTmpl=Tmpstr2[4]+CstStr[ISid%5][8]+CstStr[lHw%5][8];MMA[13]=Iong2char(lTmpl); 
MMA[l4]-0; 

for(i-0;i<14;i++)lTmpl=lTmpl+MMA[13];lTmplKlTmpl+CstStr[3][3]) 
MMA[8Hong2char(lTmpl); 
strcpy(rtStr,MMA); 
return 0; 



long AddAll Asc{LPSTR inStr) 

{ char Tmpstr[MAXLTH]; 

int i=0; 

long RtVal=0; 
strcpy(Tmpstr,inStr); 
for{i-0;i<MAXLTH;i++) 

{ RtVal=RtVal+Tmpstr[i]; 
if(Tmpstr[i]-=^0')break; 

} 

rcturn RtVal; 

} 

char long2char(long inVa!) 
(return 33+inVal%93; 
} 

intstringlen(LPSTRin) 
{int i=0;char tmps[100]; 

strcpy(tmps,in); 

while(tmps[i]NW)i-H-; 

return i; 

} 



intGetWinVerO 

{ OSVERSIONINFO osver; 

osver.dwOSVersionlnfoSize = sizeof( osver ); 
if( !GetVersionEx( &osver ) )retum 0; 

//If Windows NT: 

if( osvendwPlatformId =-= VER_PLATFORM,WIN32_NT ) 
return 2000; 

if( osvendwPlatformId = VER_PLATFORM_WIN32_WINIX)WS ) 
return 95; 

} 
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//rt OK/NG 1/0 

int SaveTickReg(iong tick) 

{ 

HKEY key; 

char subkey[255]; 

//DWORD type; 

DWORD cb; 

LONG result; 

unsigned longTickVal=0; 

cb= sizeof(TickVal); 
TickVal-tick; 

strcpy(subkey,"Software\\Microsoft\\Windows\\CurreiitVersion\\Explorer\\Advanced ); 
if( RegOpenKeyEx(HKEY_CURRENT_USER, 
subkey, 

0,KEY_QUERY_VALUE,&key) =ERROR_SUCCESS) 

rlsult = RegSetVaiueEx(key,"ShowInfoExt",0,REG_DWORD.(LPBYTE )&TickVai,cb); 
RegCloseKey(key); 

RegFIushKey(HKEY_CURRENT_USER); 

if(result != ERROR_SUCCESS) 
return 0; 

} 

return 1; 

} 

//rt OK/NG tick value/0 
long ReadTickReg(void) 
{ 

HKEY key; 

char subkey[255]; 

DWORD type; 

DWORD cb; 

LONG result; 

unsigned long TickVal^O; 

cb= sizeof(TickVal); 

strcpy(subkey/Software\\Microsoft\\Windo\vs\\CurrentVersion\\Explorer\\Advanced"); 
if( RegOpenKeyEx(HKEY_CURRENT„USER, 
subkey, 

0,KEY_QUERY_VALUE,&key) =ERROR_SUCCESS) 

rLu!t = RegQueryValueEx(key,"ShowInfoExt'',0,&type,(LPBYTE)&TickVaI,&cb); 

RegCloseKey(key); 

if(result != ERROR_SUCCESS) 

return 0; 

result=RegFlushKey(HKEY_CURRENT_USER); 
return TickVal; 

} 



BOOL CALLBACK Proc( DWORD FID, WORD wl6,LPCSTR Ipstr, LPARAM IParam ) 
{ 

LONG *count = (LONG *) IParam; 
ifOpstr l-NULL && strlen(lpstr)) 

^ if(firstTime = TRUE) 

startProcs[*count]-th32ProcessID = PID; 
startProcs[*count].cntThreads = 0; 
strcpy(startProcs[*count] .szExeFile, Ipstr); 

} 

else 
{ 
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currentProcs[* count]. th32ProcessID ^ PID; 
currentProcs[*count].cntThreads = 0; 
strcpy{cuiTentProcs[*count]-SzExeFile, Ipstr); 

} 

(*count)-H-; 

} 

return TRUE; 



// The EnumProcs function takes a pointer to a callback function 
// that will be called once per process in the system providing 
// process EXE filename and process ID. 
// Callback function definition: 

// BOOL CALLBACK Proc( DWORD dw, LPCSTR ipstr, LPARAM IParam ); 
// 

// IpProc - Address of callback routine. 

// 

// IParam - A user-defined LPARAM value to be passed to 
// the callback routine. 

BOOL WINAPI EnumProcs( PROCENUMPROC IpProc, LPARAM IParam ) 
{ 

OSVERSIONINFO osver; 

HINSTANCE hInstLib; 

HINSTANCE hInstLib2; 

HANDLE hSnapShot; 

PROCESSENTRY32 procentry; 

BOOL bPlag; 

LPDWORD IpdwPIDs; 

DWORD dwSize, dwSize2, dwindex; 

HMODULE hMod; 

HANDLE hProcess; 

char szFileName[ MAX_PATH ]: 

EnumlnfoStruct sinfo; 

//char display! 100]; 

// TooiHelp Function Pointers. 

HANDLE (WINAPI *IpfCreateTooIhelp32Snapshot)(DWORD,DWORD); 
BOOL (WINAPI *lpfProcess32First)(HANDLE,LPPROCESSENTRY32); 
BOOL (WINAPI *lpfProcess32Next)(RANDLE,LPPROCESSENTRY32); 

// PSAPI Function Pointers. 

BOOL (WINAPI *lpfEnumProcesses)( DWORD *, DWORD cb, DWORD * ); 

BOOL (WINAPI *IpfEnumProcessModules)( HANDLE, HMODULE *, DWORD, LPDWORD ); 

DWORD (WINAPI *lpfGetModuleFiteNameEx)( HANDLE, HMODULE, LPTSTR, DWORD ); 

// VDMDBG Function Pointers. ^ 

INT (WINAPI *lpfVDMEnumTaskWOWEx)( DWORD, TASKENUMPROCEX fp, LPARAM ); 

// Check to see if were running under Windows95 or Windows NT. 
osverdwOSVersionlnfoSize = sizeof( osver ); 
if( !GetVersionEx( &osver ) ) 
{ 

return FALSE; 

} 

//If Windows NT: 

if( osver.dwPlatfonnId -= VER_PLATFORM_WIN32_NT ) 

^ // Load library and get the procedures explicitly. We do 

// this so that we don't have to worry about modules using 
// this code failing to load under Windows 95, because 
// it can't resolve references to the PSAPI.DLL. 
hInstLib - LoadLibraryA( "PSAPI.DLL" ); 
if( hInstLib = NULL) 
return FALSE; 



hInstLib2 = LoadLibraryA( "VDMDBaDLL" ); 
if(hInstLib2=NULL) 
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return FALSE ; 



// Get procedure addresses. 

IpfEnumProcesses = (BOOL(WINAPI *)(DWORD *,DWORD,DWORD'^)) 

GetProcAddress( hInstLib, "EnumProcesses" ); 
IpfEnumProcessModules = (BOOL(WINAPI *)(HANDLE, HMODULE DWORD, LPDWORD)) 

GetProcAddress( hInstLib, "EnumProcessModules" ); 
IpfGetModuleFileNameEx =(DWORD (WINAPI *)(HANDLE, HMODULE, LPTSTR, DWORD )) 

GetProcAddress( hInstLib, "GetModuleFileNameExA" ); 
ipfVDMEnumTaskWOWEx =(INT(WTNAPI *)( DWORD, TASKENUMPROCEX, LPARAM)) 

GetProcAddress( hInstLib2, "VDMEnumTaskWOWEx" ); 

if( IpfEnumProcesses NULL || IpfEnumProcessModules ^ NULL || 

IpfGetModuleFileNameEx NULL || IpfVDMEnumTaskWOWEx == NULL) 

f 

FreeLibrary{ hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

// Call the PSAPI ftinction EnumProcesses to get all of the 

// ProcID's currently in the system. 

//NOTE: In the documentation, the third parameter of 

// EnumProcesses is named cbNeeded, which implies that you 

// can call the function once to find out how much space to 

// allocate for a buffer and again to fill the buffer. 

// This is not the case. The cbNeeded p,arameter returns 

// the number of PIDs returned, so if your buffer size is 

// zero cbNeeded returns zero. 

//NOTE: The "HeapAlloc" loop here ensures that we actually 

// allocate a buffer large enough for ail the PIDs in the system. 

dwSize2 = 256 * sizeof( DWORD ); 

IpdwPIDs-NULL; 

do 
f 

if(lpdwPIDs) 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
dwSize2 *=2; 

IpdwPIDs = (LPDWORD)HeapAUoc( GetProcessHeapQ, 0, dwSize2 ); 
\f{ IpdwPIDs — NULL) 

FreeLibraryC hInstLib ); 
FreeLibraryC hInstLib2 ); 
return FALSE; 

if( !lpfEnumProcesses( IpdwPIDs, dwSize2, &dwSize ) ) 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hInstLib ); 
FreeLibrary( hInstLib2 ); 
return FALSE; 

} 

} 

while( dwSize = dwSize2 ); 

// How many ProcID's did we get? 
dwSize /= sizeof( DWORD ); 



// Loop through each ProcID. 

for( dwindex = 0 ; dwindex < dwSize ; dwIndex-H- ) 

{ 

szFileName[0] = 0; 

// Open the process (if we can... security does not 

// permit every process in the system). , „^ . ^ 

hProcess - OpenProcess( PROCESS_QUERY„INFORMATION | PROCESS_VM„READ, 
FALSE, lpdwPIDs[ dwindex ] ); 

if( hProcess !=NULL) 
{ 



-57- 



// Here we call EnumProcessModules to get only the 
// first module in the process this is important, 
// because this will be the .EXE module for which we 
// will retrieve the full path name in a second. 

if( IpfEnumProcessModules( hProcess, &hMod, sizeof( hMod ), &dwSize2 ) ) 
{ 

// Get Full pathname: 

if( !lpfGetModuleFileNameEx( hProcess, hMod, szFileName, sizeof( 
szFileName ) ) ) ^ 

szFileName[0] = 0; 

} 

} 

CloseHandIe( hProcess ); 

} 

// Regardless of OpenProcess success or failure, we 
// still call the enum func with the ProcID. 
if("lpProc( lpdwPIDs[dwIndex], 0, szFileName, IParam)) 
break; 

// Did we just bump into an NTVDM? 

if( stricmp( szFileName+(strlen(szFileName)-9), "NTVDM.EXE")-=0) 
{ 

// Fill in some info for the 16-bit enum proc. 
sInfo.dwPID = lpdwPIDs[dwIndex]; 
sInfo.lpProc = IpProc; 
sInfo.iParam ^ IParam; 
sInfo.bEnd- FALSE; 
//Enum the 16-bit stuff. 

lpfVDMEnumTaskWOWEx( lpdwPIDs[dwIndex], (TASKENUMPROCEX) Enum 16, 

(LPARAM) feslnfo); 
// Did our main enum func say quit? 
if(sInfo.bEnd) 

break; 

} 

HeapFree( GetProcessHeapQ, 0, IpdwPIDs ); 
FreeLibrary( hlnstLib2 ); 

//If Windows 95: 

else \f( osver.dwPlatformId VER_PLATFORM_WIN32_WINDOWS ) 

^ hInstLib - LoadLibraryA( "Kemel32.DLL" ); 

if(hInstUb = NULL) 
return FALSE; 

// Get procedure addresses. 

// We are linking to these functions of Kemel32 explicitly, because 
// otherwise a module using this code would fail to load under Windows NT, 
// wbich does not have the Toolhelp32 functions in the Kernel 32. 
lpfCreateToolhelp32Snapshot= (HANDLE(WINAPI *)(DWORD,DWORD)) 

GetProcAddress( hInstLib, "CreateToolhelp32Snapshot" ); 
lpfProcess32First= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, "Process32Firsr ); 
lpfProcess32Next= (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32)) 

GetProcAddress( hInstLib, 'Trocess32Next" ); 

if( lpfProcess32Next NULL \\ lpfProcess32First = NULL || 
lpfCreateToolhelp32Snapshot == NULL ) 

{ 

FreeLibrary{ hInstLib ); 
return FALSE; 

} 

// Get a handle to a Toolhelp snapshot of the systems processes. 

hSnapShot = lpfCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 

if( hSnapShot -= INVALID_HANDLE_VALUE ) 
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{ 

FreeLibrary( hInstLib ); 

return FALSE; 

} 

// Get the first process' information. 
procentry.dwSize - sizeof(PROCESSENTRY32); 
bFlag = !pfProcess32First( hSnapShot, &procentry ); 

while( bFlag ) 

//itoa(procentry.th32ProcessID, display, 16); 

//MessageBox( NULL, display, "Proc Killer 95 and NT", MB_OK ); 

// Call the enum func with the filename and ProcID. 

if(IpProc( procentry.th32ProcessID, 0, procentry.szExeFile, IParam )) 

^ procentry.dwSize = sizeof(PROCESSENTRY32); 

bFlag = lpfProcess32Next( hSnapShot, &procentry ); 

} 

else 

bFlag = FALSE; 

} 

CloseHandle(hSnapShot); 

} 

else 

return FALSE; 

if{firstTime = TRUE) 

firstTime = FALSE; 

// Free the library. 
FreeLibrary( hInstLib ); 

return TRUE; 

} 

BOOL WEsFAPI Enuml6( DWORD dwThreadId, WORD hModl6, WORD hTaskl6, 
PSZ pszModName, PSZ pszFileName, LPARAM IpUserDefmed ) 

{ 

BOOL bRet; 

EnumlnfoStruct *psInfo = (EnumlnfoStruct *)lpUserDefmed; 

bRet = psInfo->lpProc( psInfo->dwPID, hTaskl6, pszFileName, psInfo->IParam ); 

if(!bRet) 
{ 

psInfo->bEnd = TRUE; 

} 

return tbRet; 

} 



lllHIIIIIIflllllllllllllfllllllll 

// null out the current proc list 

llllllHlllllllllllllllllimiflll 

void nullCurrentProcListO 

{ 

int i=0; 

for (i = 0; i < max_count; 1++) 

currentProcs[i].th32ProcessID - 0; 
currentProcs[i].cntThreads = 0; 
strcpy(currentProcs[i] .szExeFile, " "); 

} 

} 

lllllllllllllflHIJIIIIIIIIfllllll 
II kill all non valid procs 
fllllllllllHIIIfflfllllllllflllll 
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void killAUNonValidProcsO 
{ 

PROCENUMPROC IpProc; 

LONG IParam; 

HANDLE procToKill, 

DWORD dwDesiredAccess; 

BOOL bInheritHandle; 

DWORD dwProcessId; 

FILE *fp_pids; // PIDs file 

FILE *fi)Jorestart; // file of processes that must be restarted all killed procs) 

int termVal; // is 0 if the process does not terminate 

char szSysPath[255]; 

long len; 

long lenWinDir; 

char szWinDir[255]; 

char szTaskMon[255]; 

int i; 

nuIiCurrentProcListO; 
lP'aram=0; 
lpProc= Proc; 

EnumProcs( IpProc, (LPARAM) &lParam ); 

// this will empty the restart file if it is not already null 
fpjorestart = fopenC'c:\\killedpids.txt", "w"); 
fclose(fp_torestart); 

fpjids = fopen("c:\\firstpids.txt", "a"); 
fprintf(fp_pids, "\n\nSe arching Procs to kiU:\n"); 
^rintf(f^_pids, \ri"); 
fclose(fp_pids); 

GetSystemDirectory(szSysPath,sizeof(szSysPath)); 
len = strlen(szSysPath); 
// kill all non-essential procs 

GetWindowsDirectory(szWinDir,sizeof(szWinDir)); 
lenWinDir = strien(szWinDir); 

strcpy(szTaskMon,szWinDir); 
strcat{szTaskMon,"\\TASKMON.EXE"); 
for (i 0; i < max_count; i-H-) 
{ 

char szShortPath[255]; 

GetShortPathName(currentProcs[i] .szExeFile,szShortPath,255) ; 

if (stricmp(&(currentProcs[i].szExeFile[len+l]),"KERNEL32.DLL") ^ 0 1| 

stricmp{&(currentProcs[i].szExeFiieDen+l]),"MSGSRV32.EXE") = 0 11 
stricmp(&(currentProcs[il.szExeFile[len+l]),"MPREXE.EXE") = 0 \\ 
stricmp(&(currentProcs[i].szExeFiie[len+l]),"MSTASK.EXE") == 0 \\ 
//stricmp(&(currentProcs[i].szExeFile[len-f l]),"RUNONCE.EXE") = 0 i| 
stricmp(&(currentProcs[i],szExeFile[len+l]),"RPCSS.EXE") = 0 \\ 
stricmp(&{currentProcs[i].szExeFilepen+l]),"SPOOL32.EXE") = 0 \\ 
stricmp(&(currentProcs[i].szExeFiIe[len+l]),"SSI_TIMER.DLL") -= 0 11 
//stricmp(&(currentProcs[i].szExeFile[lenWinDir+l]);'EXPLORERXXE") = 0 |i 

stricmp(currentProcs[i].szExeFiIe,"C:\\PROGRAMFILES\\SECUREXAM 

STUDENTWSSI STUDENT.EXE") = 0 1| 

stricmp(currentProcs[i].szExeFiIe/'C:\\WINDOWS\\DESKTOP\\SSLSTUDENT.EX^ 
// strcmp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\MICROSOFT 

OFFICEWOFFTCEWWINWORD-EXE") 0 1| 

// word-> stricmp(szShortPath,lpszRetStr) = 0 |i 

//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM 

FILES\\WEBSVR\\SYSTEM\\INETSW95-EXE") = 0 1! 

//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\NORTON 

ANTIVIRUS\\NAVAPW32.EXE") = 0 || 

stricmp(&(currentProcs[i].szExeFile[len+l]);'mmtask.tsk") = 0 H 
stricmp(&(currentProcs[i].szExeFile[len-M]);'PSTORES.EXE") = 0 |! 
strcmp(currentProcs[i].szExeFile,szTaskMon) = 0 1| 
stricmp(&(currentProcs[i].szExeFiIe[len+l]),"SYSTRAY.EXE") = 0 li 
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//strcmp(currentProcs[i].szExeFile/C:\\\VINDOWS\\ESSOLO.EXE") 0 || 
stricmp(currentProcs[i]-SzExeFile;'C;\\MOUSE\\SYSTEM\\EM_EXEC EXE") 0 || 
//strcmp(currentProcs[i].szExeFile,"C:\\IBMTOOLS\\APTEZBTN\\APTEZBP.EXE") 0 | 
//strcmp(currentProcs[i].szExeFile,"C:\\CSAFE\\AUTOCHK.EXE") 0 11 
//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM 
FILESWREALWREALPLAYERWREALPLAY.EXE") = 0 || 

//strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM FILESWICQWICQ.EXE") = 0 \\ 
//strcmp(currentProcs[i].szExeFiIe;^C:\\PROGRAMFILES\\NORTON 

ANTIVIRUS\\NSCHED32.EXE") = 0 || 

//strcmp{cuiTentProcs[i].szExeFile,"C:\\PROGRAM FILESWMICROSOFT 

OFFICEWOFFICEWOSA.EXE") 0 |i 

// strcmp(currentProcs[i].szExeFile;'C:\\TOOLS_95\\IOWATCH.EXE") — 0 |i 

// strcmp(currentProcs[i].szExeFile;'C:\\TOOLS_95\\IMGICON.EXE") 0 || 

// strcmp(currentProcs[i].szExeFile,"C:\\PROGRAM 

FILES\\DEVSTUDIO\\SHAREDIDE\\BIN\\MSDEV.EXE") = 0 |1 

// stricmp(&{currentProcs[i].szExeFilenen+l])/WINOA386.MOD") = 0 || 



// — ladder old 

// ' stricmp(currentProcs[i],szExeFiie,"C:\\PROGRAMFILES\\SECUREXAM 

STUDENTWSTOP SSI DAEMON.EXE") 0 |! 

/* stricmp(currentProcs[i].szExeFile,"C:\\PROGRAMFILES\\SECUREXAM 

STUDENTWSSI DAEMON.EXE") = 0 || 

stricmp(currentProcs[i].szExeFi!e,"D:\\vs\\VB98\\VB6.EXE") == 0 || 
stricmp(currentProcs[i].szExeFile/'D:\\vs\\Common\\MSDev98\\Bin\\MSDEV.EXE") 0 1| 

strkmp(currentProcs[i].szExeFi!e/'E:\\Securexam\\ssi_daemon_win2000\\Debug\\ssL^ 

stricmp{cuiTentProcs[i].szExeFile;'E:\\Securexam\\ssi_daemon\\Debug\\ssi_daemon.exe'')=0 

*/ 

// — i Rep 

stricmp(currentProcs[i].S2ExeFile,"C:\\PROGRAM FILESWSECUREXAM 

STUDENTWSSI Temp.dat") = 0 || // <--othee file 

stricmp(currentProcs[i].szExeFiie,"CA\PROGRAM FILESWSECUREXAM 

STUDENTWSSITmpST.dat") -=0\\ II <--stop_ssi_daemon 

stricmp(currentProcs[i].szExeFile;'C:\\PROGRAM FILESWSECUREXAM 

STUDEN'n\SSITemp2.dat") = 0 ) /// <"Ssi_daemon 



// — -j end 



{ 
} 

else 
{ 



// do nothing, these are ok 



dwProcessId = currentProcs[i].th32ProcessID; 
if (dwProcessId NO) 
{ 

// kill these 

dwDesiredAccess - PROCESS_ALL_ACCESS; 
blnherilHandle =TRUE; 

procToKill = OpenProcess( dwDesiredAccess, bInheritHandle, dwProcessId ); 
termVal = TerminateProcess(procToKill, 0); 

// Who : Robin wei 

//Date : 02-9-24 14:52:53 

// Reason : To make sure the process has been terminated and clear the object 
// Modift' [Begin] 

// ^ if( stricmp(&(currentProcs[i].szExeFile[len+l]);'RUNONCE.EXE") 0 1| 

// stricmp{&{curremProcs[i].szExeFiie[lenWinDir+i]);'EXPLORER.EXE") = 

0) 

WaitForSingleObject(procToKili,INFINITE); 

CloseHandle(procToKill); 
// Modify [End] 

if(termVaI !=0) 

lp_pids = fopenrc:\\firstpids.txt", "a"); 

q3rintf(^_pids, "Proc KILLED: Ox%x %s\n", currentProcs[i].th32ProcessID, 

currentProcs[i].szExeFile); 
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fc!ose(fp_pids); 

// save the procs that must be restarted at end of exam to a .bat file 
//j old 

//fpjorestart = fopen{"c:\\restartpids.bat", "a+"); 
11} rep 

fpjorestart = fopen("c:\\killedpids.txt", "a+"); 
//j end 



fprintf(fp_torestart, "\"%s\"\n", curreatProcs[i].szExeFile); 
fclose(fp_torestart); 

} 

} 

} 

// append synchronization file creation to the end of the restart .bat file 

} 



int TerminateExplorerO 

{ 

PROCENUMPROC IpProc; 
LP ARAM IParam; 
HANDLE procToKill; 
DWORD dwDesiredAccess; 
BOOL blnheritHandle, procIsOK; 
DWORD dwProcessId; 
FILE *fpj)ids; //PIDsfile 
FILE *fp_cheat; // cheat file 
int i,j, num_valid; 

// kick off the SSI_STUDENT.exe 

//system( "c:\\tom\\procKiller95andNTA\SSI_STUDENT-exe" ); 

// init the start, current, and valid proc lists 
for (i = 0; i < max_count; i++) 

^ startProcs[i].th32ProcessID = 0; 

startProcs[i]xntThreads = 0; 
strcpy{startProcs[i].szExeFile, ""); 

validProcs[i].th32ProcessID = 0; 
validProcs[i].cntThreads = 0; 
strcpy(validProcs[i].szExeFiIe, ""); 

} 

nullCurrentProcListO; // clear the current proc list 



// get snapshot of starting processes 
firstTime = TRUE; 
lParam=0; 
lpProc= Proc; 

EnumProcs( IpProc, (LPARAM) (&lParam) ); 
firstTime = FALSE; 
// write out starting processes to file 
fp_pids = fopen("c:\\firstpids.txt", "w+"); 
fprintf(fp_pids, \ n"); 
for (i = 0; i < max_count; i-H-) 

^ if (startProcs[i].th32ProcessID 1^ 0) 

^ fprintf(^_pids, "Ox%x %ld %s\n", startProcs[i].th32ProcessID, 

startProcs[i].cntThreads, startProcsIi] .szExeFile); 

} 

} 

fclose(fp_pids); 

// delete all non-essential processes 
killAllNonVaiidProcsO; 
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FreeConsoleO; 

return 0; 



Hooks32.h 



// T.Regan 4/2/99 Added WH_SHELL handling. 

// T. Regan 4/1 0/99 Merged in Chris' code 

^define IDM_ABOUT 1 00 

#defme IDM_CALLWNDPROC 200 

#define IDM_CBT 201 

#define IDM_GETMESSAGE 202 

#defme IDMJOURNALPLAYBACK 203 

#define IDMJOURNALRECORD 204 

#define IDM_KEYBOARD 205 

#define IDM_MOUSE 206 

#define IDM_MSGFILTER 207 

#defme IDM_SYSMSGFILTER 208 

#defme IDM^DEBUG 209 

#defme IDM__SHELL 210 

#define CALLWNDPROCINDEX 0 

#define CBTINDEX (IDM„CBT - IDM_CALLWNDPROC) 

#define GETMESSAGEINDEX (IDM_GETMESSAGE - IDM_CALLWNDPROC) 

#defme JOURNALPLAYBACKINDEX (IDMJOURNALPLAYBACK - IDM„CALLWNDPROC) 

#defineJOURNALRECORDINDEX (IDMJOURNALRECORD - IDM_CALLWNDPROC) 

#define KEYBOARDINDEX (IDM_KEYBOARD - IDM_CALLWNDPROC) 

#define MOUSEINDEX (IDM^MOUSE - IDM_C ALLWNDPROC) 

#define MSGFILTERINDEX (IDM_MSGFILTER - IDM_CALLWNDPROC) 

^define SYSMSGFILTERINDEX (IDM_SYSMSGFILTER - IDM__CALLWNDPROC) 

#define DEBUGFILTERINDEX (IDM_DEBUG - IDM_CALLWNDPROC) 

#define SHELLFILTERINDEX (IDM_SHELL - IDM_CALLWNDPROC) 

#define LowLevelKeyboardProcIndex 1 1 

#define NUMOFHOOKS 12 

// 

// Entry functions for the DLL 

// 

int FAR PASCAL InitHooksDIKHWND hwndMainWindow, int nWinLineHeight); 

int FAR PASCAL PaintHooksDU(HDC hDC ); 

int FAR PASCAL InstallFilter (int nHooklndex, int nCode ); 

int FAR PASCAL ExitHooksDll(HWND hwndM^nWindow, int nWinLineHeight); 

int FAR PASCAL MyEnabIeDbClick(int value); 

int FAR PASCAL BeginThreadQ; 

int FAR PASCAL EndThreadQ; 

int FAR PASCAL CheckUserSid(LPSTR outDomainName,LPSTR outUserName); 

int FAR PASCAL SaveUserSidQ; 

inl FAR PASCAL LogoffCurrentUserO; 

int CALLBACK fnGetPrivateInfo(LPSTR inStr,LPSTR rtStrJnt CaliSeq); 



